[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP & Cyrus-SASL: how to specify mech_list


Timo Felbinger <timo.felbinger@physik.uni-potsdam.de> writes:

> Hello,
> what is the correct way to specify the list of allowed SASL mechanisms,
> in an OpenLDAP-server using Cyrus-SASL?
> The cyrus-sasl documentation mentions the option mech_list, but I cannot
> figure out where and how to specify this. Following some examples I found
> on the net, I tried to include e.g.
>   sasl-mech_list: PLAIN
> into my slapd.conf, which I hoped would disable all SASL mechanisms but
> PLAIN, but it didn't have any effect: the server still allowed me to
> authenticate using e.g. EXTERNAL authentication.

There is now configuration option to declare valid SASL mechanisms,
slapd will happily accept all available mechanisms. PLAIN is diabled
except when used with a secure transport layer and on local socket,
same applies to EXTERNAL.

> I also tried to specify mech_list in a separate per-application config
> file for the sasl library,
>   /usr/lib/sasl2/slapd.conf
> but this file does not even get accessed by the server.
> What am I missing here?

Reading the admin guide?

> And: is there a way to obtain from the server a complete list of
> authentication mechanisms which it is willing to accept?

ldapsearch -x -H ldap://your.host -b "" -s base \


Dieter Klünter | Systemberatung