Re: OpenLDAP & Cyrus-SASL: how to specify mech_list

["Dieter Kluenter" <dieter@dkluenter.de>]

Hi,

Timo Felbinger <timo.felbinger@physik.uni-potsdam.de> writes:

> Hello,
>
> what is the correct way to specify the list of allowed SASL mechanisms,
> in an OpenLDAP-server using Cyrus-SASL?
>
> The cyrus-sasl documentation mentions the option mech_list, but I cannot
> figure out where and how to specify this. Following some examples I found
> on the net, I tried to include e.g.
>   sasl-mech_list: PLAIN
> into my slapd.conf, which I hoped would disable all SASL mechanisms but
> PLAIN, but it didn't have any effect: the server still allowed me to
> authenticate using e.g. EXTERNAL authentication.

There is now configuration option to declare valid SASL mechanisms,
slapd will happily accept all available mechanisms. PLAIN is diabled
except when used with a secure transport layer and on local socket,
same applies to EXTERNAL.

> I also tried to specify mech_list in a separate per-application config
> file for the sasl library,
>   /usr/lib/sasl2/slapd.conf
> but this file does not even get accessed by the server.
>
> What am I missing here?

Reading the admin guide?

> And: is there a way to obtain from the server a complete list of
> authentication mechanisms which it is willing to accept?

ldapsearch -x -H ldap://your.host -b "" -s base \
supportedSASLMechanisms


-Dieter

-- 
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6