[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP & Cyrus-SASL: how to specify mech_list

To: openldap-software@OpenLDAP.org
Subject: Re: OpenLDAP & Cyrus-SASL: how to specify mech_list
From: Timo Felbinger <timo.felbinger@physik.uni-potsdam.de>
Date: Fri, 23 Sep 2005 11:05:14 +0200
Content-disposition: inline
Delivered-to: outfilter-openldap-software@openldap.org@relay
In-reply-to: <4332E842.1050409@symas.com>
References: <20050922162116.GG6460@uranos.quantum.physik.uni-potsdam.de> <4332E842.1050409@symas.com>
User-agent: Mutt/1.4.2i

On Thu, Sep 22, 2005 at 10:22:10AM -0700, Howard Chu wrote:
> 
> Timo Felbinger wrote:
> >Hello,
> >
> >what is the correct way to specify the list of allowed SASL mechanisms,
> >in an OpenLDAP-server using Cyrus-SASL?
> >
> >The cyrus-sasl documentation mentions the option mech_list, but I cannot
> >figure out where and how to specify this. Following some examples I found
> >on the net, I tried to include e.g.
> >  sasl-mech_list: PLAIN
> >into my slapd.conf, which I hoped would disable all SASL mechanisms but
> >PLAIN, but it didn't have any effect: the server still allowed me to
> >authenticate using e.g. EXTERNAL authentication.
> >  
> 
> Read the slapd.conf(5) manpage. Any directives not mentioned there (like 
> your made up "sasl-mech_list") are not valid.

It wasn't me who made this up: google "openldap mech_list" will come
up with (poorly written?) sample configuration files using this
directive; it seems I was not the first one who felt the need for
such a directive. My reasoning that this was likely to work was based
on cyrus-sasl-2.21.1/doc/sysadmin.html:

<cite>
  Applications can redefine how the SASL library looks for configuration
  information.  Check your application's documentation for specifics.

  <p>For instance, Cyrus imapd reads its sasl options from it's own
  configuration file, <tt>/etc/imapd.conf</tt>, by prepending all SASL
  options with "<tt>sasl_</tt>": the SASL option "pwcheck_method" is set
  by changing "sasl_pwcheck_method" in <tt>/etc/imapd.conf</tt>.
</cite>

My guess was that slapd would work similarily, passing everything
prefixed with "sasl-" to the library. The fact that I could not find
any other configuration file for libsasl2 mentioned anywhere in
the openldap admin guide (http://www.openldap.org/doc/admin23)
seemed to support this guess. I apologize for having been wrong.

> Look at sasl-secprops; you 
> cannot use PLAIN with the default properties.

I never wanted to use PLAIN, this was a test whether the directive
worked.

> >I also tried to specify mech_list in a separate per-application config
> >file for the sasl library,
> >  /usr/lib/sasl2/slapd.conf
> >but this file does not even get accessed by the server.
> >  
> 
> Actually, libsasl2 reads this file automatically, so any valid Cyrus 
> SASL configuration directives placed here will be processed.

Thank you for confirming that I guessed at least the name of this
configuration file correctly ;-)

What I was missing was that, even though libsasl2.so is read before
slapd's -r option takes effect, the configuration file is read after
the chroot and thus must be placed inside the jail. It works now.

Greetings,

Timo

-- 
Timo Felbinger                  <Timo.Felbinger@physik.uni-potsdam.de>
Quantum Physics Group           http://www.quantum.physik.uni-potsdam.de
Institut fuer Physik            Tel: +49 331 977 1793      Fax: -1767
Universitaet Potsdam, Germany   PGP key-id: E92567B2

References:
- OpenLDAP & Cyrus-SASL: how to specify mech_list
  - From: Timo Felbinger <timo.felbinger@physik.uni-potsdam.de>
- Re: OpenLDAP & Cyrus-SASL: how to specify mech_list
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: OpenLDAP Server configuration for controls and extends HOWTO
Next by Date: Max number of subsuffixes we can glue together under Old 2.3.7 bdb 4.3.28 ?
Index(es):
- Chronological
- Thread