[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP & Cyrus-SASL: how to specify mech_list



Timo Felbinger wrote:
Hello,

what is the correct way to specify the list of allowed SASL mechanisms,
in an OpenLDAP-server using Cyrus-SASL?

The cyrus-sasl documentation mentions the option mech_list, but I cannot
figure out where and how to specify this. Following some examples I found
on the net, I tried to include e.g.
sasl-mech_list: PLAIN
into my slapd.conf, which I hoped would disable all SASL mechanisms but
PLAIN, but it didn't have any effect: the server still allowed me to
authenticate using e.g. EXTERNAL authentication.

Read the slapd.conf(5) manpage. Any directives not mentioned there (like your made up "sasl-mech_list") are not valid. Look at sasl-secprops; you cannot use PLAIN with the default properties.
I also tried to specify mech_list in a separate per-application config
file for the sasl library,
/usr/lib/sasl2/slapd.conf
but this file does not even get accessed by the server.

Actually, libsasl2 reads this file automatically, so any valid Cyrus SASL configuration directives placed here will be processed.


What am I missing here?
And: is there a way to obtain from the server a complete list of
authentication mechanisms which it is willing to accept?

Yes, this is a standard feature of LDAPv3, documented in RFC2252. Read up on the supportedSASLMechanisms attribute.


--
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/