Re: Question regarding order of SASL authentication mechanisms

• Previous message: Markus Moeller: "Re: Question regarding order of SASL authentication mechanisms"
• In reply to: Markus Moeller: "Re: Question regarding order of SASL authentication mechanisms"
• Next in thread: Markus Moeller: "Re: Question regarding order of SASL authentication mechanisms"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Markus Moeller wrote:
> Dieter,
>
> It doesn't work as you described or GSSAPI is weaker than DIGEST-MD5
>
> With /etc/sasl2/slapd.conf
> mech_list: gssapi digest-md5 external
>
> I get:
>
> # ldapsearch -h localhost -b "" -s base +
> SASL/DIGEST-MD5 authentication started
> Please enter your password:

Markus,

SASL is a server-offers - client-chooses specification. DIGEST-MD5 is a
256 bit mechanism and GSSAPI is a 56 bit mechanism, so DIGEST-MD5 may be
preferred if no mechanism, or security properties, are specified.

See the manpage for ldap.conf to force a default SASL mechanism for the
OpenLDAP client utilities.

You can put 'SASL_MECH GSSAPI' within ~/.ldaprc.

- Dan

• Previous message: Markus Moeller: "Re: Question regarding order of SASL authentication mechanisms"
• In reply to: Markus Moeller: "Re: Question regarding order of SASL authentication mechanisms"
• Next in thread: Markus Moeller: "Re: Question regarding order of SASL authentication mechanisms"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]