Re: SASL_MECH and useronly

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 10:29 PM 1/11/2006, Luke Howard wrote:

>>Note that users can tell the library to use an
>>alternative ldap.conf(5) file, and hence go around
>>any 'policy' the administrator tries to enforce using
>>ldap.conf(5).  The administrator should use more
>>appropriate means for enforcing such policy, such
>>as properly configuring their server to support
>>the particular set of allowed mechanisms.  (Administrators
>
>Sure, easy with Cyrus SASL, hard with Active Directory,
>although I am looking into it as it will be a lot easier
>to deploy.
>
>>The intent was for ldap.conf(5) to provide defaults
>>values for command line arguments.   These defaults
>>were only to be used when the user of the tool did
>>not provide a value via the command line.  That is,
>>the user should always be able to specify the
>>desired behavior explicitly on the command line
>>such that any and all defaults values are ignored.
>
>This should still work though, even with ldap.conf(5)
>specifying SASL_MECH.

I'll have to experiment with the code a bit, but
as I recall, there was no way for the user (or
the program) to tell the library to ignore the
default value for these options.  The only
workaround is for the user to ignore the ldap.conf
(or provide a replacement ldap.conf (as opposed
to a .ldaprc).

Kurt