Openldap sasl mechanism order problem

mamoeller · December 1, 2008, 12:33am

I’d like to use GSSAPI as the first sasl authentication mechanism and digest-md5 as the second method.

Although /etc/sasl/slapd.conf has gssapi before digest-md5.

mech_list: gssapi digest-md5 cram-md5 external

I get gssapi as the last in the list of supportedsaslmechanisms

#ldapsearch -H ldap://192.168.1.27 -x -D “CN=Admin,DC=Suse,DC=home” -w password -b “” -s base “supportedsaslmechanisms”

extended LDIF

LDAPv3

base <> with scope baseObject

filter: (objectclass=*)

requesting: supportedsaslmechanisms

dn:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: GSSAPI

search result

search: 2
result: 0 Success

numResponses: 2

numEntries: 1

and a query will force digest-md5 authentication.

#ldapsearch -H ldap://192.168.1.27 -D “CN=Manager,DC=Suse,DC=home” -w Manager00$ -b “” -s base “supportedsaslmechanisms”
SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in database

If I change /etc/sasl2/slapd.conf to

mech_list: gssapi

I get gssapi to work

#ldapsearch -H ldap://192.168.1.27 -b “” -s base “supportedsaslmechanisms”
SASL/GSSAPI authentication started
SASL username: markus@SUSE.HOME
SASL SSF: 56
SASL installing layers

extended LDIF

LDAPv3

base <> with scope baseObject

filter: (objectclass=*)

requesting: supportedsaslmechanisms

dn:
supportedSASLMechanisms: GSSAPI

search result

search: 5
result: 0 Success

numResponses: 2

numEntries: 1

Why is slapd not using the right order ?

I use OpenSuse 11.0 with latest patches.

markus