Re: Question regarding order of SASL authentication mechanisms

From: Markus Moeller (no email)
Date: Sat Dec 06 2008 - 14:14:30 EST

Next message: Dan White: "Re: Question regarding order of SASL authentication mechanisms"

Previous message: Dave McMurtrie: "Re: Question regarding order of SASL authentication mechanisms"
Maybe in reply to: Markus Moeller: "Question regarding order of SASL authentication mechanisms"
Next in thread: Dan White: "Re: Question regarding order of SASL authentication mechanisms"
Reply: Dan White: "Re: Question regarding order of SASL authentication mechanisms"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Dieter,

It doesn't work as you described or GSSAPI is weaker than DIGEST-MD5

With /etc/sasl2/slapd.conf
mech_list: gssapi digest-md5 external

I get:

# ldapsearch -h localhost -b "" -s base +
SASL/DIGEST-MD5 authentication started
Please enter your password:

with /etc/sasl2/sladp.conf
mech_list: gssapi external

I get:

ldapsearch -h localhost -b "" -s base +
SASL/GSSAPI authentication started
SASL username:
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: +
#

#
dn:
structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
namingContexts: dc=suse,dc=home
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedExtension: 1.3.6.1.1.8
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 3
supportedSASLMechanisms: GSSAPI
entryDN:
subschemaSubentry: cn=Subschema

# search result
search: 5
result: 0 Success

# numResponses: 2
# numEntries: 1

Markus

"Dieter Kluenter" <> wrote in message
news:...
"Markus Moeller" <> writes:

> I'd like to use for ldap bind GSSAPI as the first sasl authentication
> mechanism and digest-md5 as the second prefered method (e.g. if the
> client does not support GSSAPI)
>
> I have configured slapd with /etc/sash/slapd.conf that has gssapi
> before digest-md5 (I assume the order is important, is it?) .

No, it is not important, as sasl selects the most appropriate
mechanism.

> mech_list: gssapi digest-md5 cram-md5 external
>
> But despite the above order I get gssapi as the last in the list of
> supportedsaslmechanisms
>
> #ldapsearch -H ldap://192.168.1.27 -x -D "CN=Admin,DC=Suse,DC=home" -w
> password -b "" -s base "supportedsaslmechanisms"
> # extended LDIF
> #
> # LDAPv3
> # base <> with scope baseObject
> # filter: (objectclass=*)
> # requesting: supportedsaslmechanisms
> #
>
> #
> dn:
> supportedSASLMechanisms: DIGEST-MD5
> supportedSASLMechanisms: CRAM-MD5
> supportedSASLMechanisms: GSSAPI

The ldap protocol is a message based protocol and there are no ordering
rules defined to present results. Ordering of search results is left
to the clients.

> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> and a query will force digest-md5 authentication (despite the GSSAPI
> capability of the client).
>
> #ldapsearch -H ldap://192.168.1.27 -s base -b "" "supportedsaslmechanisms"
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
>
> If I change /etc/sasl2/slapd.conf to
>
> mech_list: gssapi
>
> I get gssapi to work
>
> #ldapsearch -H ldap://192.168.1.27 -b "" -s base "supportedsaslmechanisms"
> SASL/GSSAPI authentication started
> SASL username:
> SASL SSF: 56
> SASL installing layers
> # extended LDIF
> #
> # LDAPv3
> # base <> with scope baseObject
> # filter: (objectclass=*)
> # requesting: supportedsaslmechanisms
> #
>
> #
> dn:
> supportedSASLMechanisms: GSSAPI
>
> # search result
> search: 5
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
> What do I need to do to force the order on the server ?

This is not necessary, The strong bind authentication is not done by
slapd but passed to the sasl framework, sasl selects the most secure
mechanism available, that is in your case GSSAPI. Just test it by
calling ldapsearch without any bind options, something like:
ldapsearch -h localhost -b "" -s base +

-Dieter

-- 
Dieter Klünter | Systemberatung
http://www.dpunkt.de/buecher/2104.html
sip: +49.180.1555.7770535
GPG Key ID:8EF7B6C6
53°08'09,95"N
10°08'02,42"E

Next message: Dan White: "Re: Question regarding order of SASL authentication mechanisms"

Previous message: Dave McMurtrie: "Re: Question regarding order of SASL authentication mechanisms"
Maybe in reply to: Markus Moeller: "Question regarding order of SASL authentication mechanisms"
Next in thread: Dan White: "Re: Question regarding order of SASL authentication mechanisms"
Reply: Dan White: "Re: Question regarding order of SASL authentication mechanisms"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Invaluement Anti-Spam DNSBLs