Multiple authentication methods
I am unable to connect an openconnect client using just certificate auth only. Enabled on the server are plain (auth), gssapi (enable-auth) and certificate (enable-auth). The initial cert verification succeeds but ocserv then proceeds to try gssapi which fails for this client as it isn't configured for kerberos.
Jul 16 21:42:13 xxx.xxx.xxx.xxx ocserv[6111]: worker: client certificate verification succeeded
Jul 16 21:42:13 xxx.xxx.xxx.xxx ocserv[4210]: sec-mod: using 'gssapi' authentication to authenticate user (session: QvmDNS)
This is the relevant part of the config file:
auth = "plain[passwd=/etc/ocserv/ocpasswd]"
enable-auth = "certificate"
ca-cert = /etc/ssl/certs/xxx.pem
cert-user-oid = 2.5.4.3
enable-auth = "gssapi[keytab=/etc/krb5.keytab,require-local-user-map=false]"
Thanks