Re: OpenLDAP & Cyrus-SASL: how to specify mech_list

[Howard Chu <hyc@symas.com>]

Timo Felbinger wrote:
> Hello,
>
> what is the correct way to specify the list of allowed SASL mechanisms,
> in an OpenLDAP-server using Cyrus-SASL?
>
> The cyrus-sasl documentation mentions the option mech_list, but I cannot
> figure out where and how to specify this. Following some examples I found
> on the net, I tried to include e.g.
>   sasl-mech_list: PLAIN
> into my slapd.conf, which I hoped would disable all SASL mechanisms but
> PLAIN, but it didn't have any effect: the server still allowed me to
> authenticate using e.g. EXTERNAL authentication.
>   

Read the slapd.conf(5) manpage. Any directives not mentioned there (like 
your made up "sasl-mech_list") are not valid. Look at sasl-secprops; you 
cannot use PLAIN with the default properties.
> I also tried to specify mech_list in a separate per-application config
> file for the sasl library,
>   /usr/lib/sasl2/slapd.conf
> but this file does not even get accessed by the server.
>   

Actually, libsasl2 reads this file automatically, so any valid Cyrus 
SASL configuration directives placed here will be processed.

> What am I missing here?
> And: is there a way to obtain from the server a complete list of
> authentication mechanisms which it is willing to accept?
>   

Yes, this is a standard feature of LDAPv3, documented in RFC2252. Read 
up on the supportedSASLMechanisms attribute.

--
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/