Return-Path: 
 <users-return-3667-apmail-directory-users-archive=directory.apache.org@directory.apache.org>
Delivered-To: apmail-directory-users-archive@www.apache.org
Received: (qmail 41674 invoked from network); 19 Dec 2010 18:40:36 -0000
Received: from unknown (HELO mail.apache.org) (140.211.11.3)
  by 140.211.11.9 with SMTP; 19 Dec 2010 18:40:36 -0000
Received: (qmail 73720 invoked by uid 500); 19 Dec 2010 18:40:36 -0000
Delivered-To: apmail-directory-users-archive@directory.apache.org
Received: (qmail 73674 invoked by uid 500); 19 Dec 2010 18:40:35 -0000
Mailing-List: contact users-help@directory.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@directory.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@directory.apache.org>
List-Post: <mailto:users@directory.apache.org>
List-Id: <users.directory.apache.org>
Reply-To: users@directory.apache.org
Delivered-To: mailing list users@directory.apache.org
Received: (qmail 73666 invoked by uid 99); 19 Dec 2010 18:40:34 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 19 Dec 2010 18:40:34 +0000
X-ASF-Spam-Status: No, hits=0.7 required=10.0
	tests=MIME_QP_LONG_LINE,SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (athena.apache.org: 72.249.145.228 is neither permitted
 nor denied by domain of whm@stanford.edu)
Received: from [72.249.145.228] (HELO tektonic.macallister.grass-valley.ca.us)
 (72.249.145.228)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 19 Dec 2010 18:40:26 +0000
Received: from [10.0.0.32] (adsl-99-35-226-183.dsl.pltn13.sbcglobal.net
 [99.35.226.183])
	by tektonic.macallister.grass-valley.ca.us (Postfix) with ESMTP id
 0D9041F68168
	for <users@directory.apache.org>; Sun, 19 Dec 2010 18:40:05 +0000 (UTC)
Date: Sun, 19 Dec 2010 10:40:04 -0800
From: Bill MacAllister <whm@stanford.edu>
To: users@directory.apache.org
Subject: Re: GSSAPI Binds to Directory Studio
Message-ID: <277A73531DBAE69ED4E263FA@[10.0.0.32]>
In-Reply-To: <AANLkTim+EGhix2v5aHJwxUK_0nNfxzMDj=2Qbo6Ti818@mail.gmail.com>
References: <BB5C28EF61C446A0C28C1BAD@trainmaster.stanford.edu>
	<AANLkTimSO=97ZTvtTepN04vC2yy73HjQieDvvo7N52gd@mail.gmail.com>
	<6BEA001964268DA9410F8732@10.0.0.32>
 <AANLkTim+EGhix2v5aHJwxUK_0nNfxzMDj=2Qbo6Ti818@mail.gmail.com>
X-Mailer: Mulberry/4.1.0a1 (Linux/x86)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline; size=1090



--On Sunday, December 19, 2010 09:17:09 AM +0100 Stefan Seelmann <seelmann@apache.org> wrote:

>> But, it seems that the searches are not using GSSAPI to secure the
>> traffice to the server because when I look at the ldap logs I see that
>> the ssf is zero. =C2=A0In our case this means that no data can be returned.
>> (And, yes, I am a bit fuzzy on the exact details since ldapsearch just
>> does the right thing for me without my having to think about it.) =C2=A0Any
>> ideas on how to deal with this?
>
> In the connection's 'Authentication' tab there is a section 'SASL
> Settings' where you can define the QoP. By default it is set to
> 'Authentication only', you should set it to 'Authentication with
> integrity and privacy protection' to enable message privacy. The other
> parameter 'Protection Strength' should be set to high (I think this
> sets ssf to 128).
>
> Kind Regards,
> Stefan

Perfect again.  Works like a charm now.  This was also one of those
"of course, you idiot" moments for me.

Thanks,

Bill

--=20

Bill MacAllister
Infrastructure Delivery Group, Stanford University