Bezüglich Harry Schmalzbauer's Nachricht vom 05.11.2014 18:04 (localtime): … > Sorry, I might have been unclear. > Of course, AUTH=GSSAPI is offered if connection passes STARTTLS, along > WITH PLAIN (and LOGIN), but the intention of "disable_plaintext_auth" is > to prevent PLAIN if _no_ encryption level was negotiated. > So you see LOGINDISABLED before TLS session and also _no_ GSSAPI! > At that point (no encryption negotiated) I want to be able to get my > kerberos ticket validated :-) > > disable_plaintext_auth = yes works as expected for PLAIN (and LOGIN); it > doesn't offer until encryption successfully took place. > But I don't expect GSSAPI also beeing disabled (regardless if encryption > is available or not). > I have no idea why this could be the intended behaviour, and hope > somebody can enlighten me :-)
Sorry for the noise. For those with the same intention and the same problem: I had "ssl = required" set. That of course doesn't return any AUTH method unless encryptino was negotiated. Setting it to "ssl = yes" instead leads to expected results in all variants :-) Thanks, -Harry