[Date Prev][Date Next]
Re: OpenLDAP & Cyrus-SASL: how to specify mech_list
On Thu, Sep 22, 2005 at 10:22:10AM -0700, Howard Chu wrote:
> Timo Felbinger wrote:
> >what is the correct way to specify the list of allowed SASL mechanisms,
> >in an OpenLDAP-server using Cyrus-SASL?
> >The cyrus-sasl documentation mentions the option mech_list, but I cannot
> >figure out where and how to specify this. Following some examples I found
> >on the net, I tried to include e.g.
> > sasl-mech_list: PLAIN
> >into my slapd.conf, which I hoped would disable all SASL mechanisms but
> >PLAIN, but it didn't have any effect: the server still allowed me to
> >authenticate using e.g. EXTERNAL authentication.
> Read the slapd.conf(5) manpage. Any directives not mentioned there (like
> your made up "sasl-mech_list") are not valid.
It wasn't me who made this up: google "openldap mech_list" will come
up with (poorly written?) sample configuration files using this
directive; it seems I was not the first one who felt the need for
such a directive. My reasoning that this was likely to work was based
Applications can redefine how the SASL library looks for configuration
information. Check your application's documentation for specifics.
<p>For instance, Cyrus imapd reads its sasl options from it's own
configuration file, <tt>/etc/imapd.conf</tt>, by prepending all SASL
options with "<tt>sasl_</tt>": the SASL option "pwcheck_method" is set
by changing "sasl_pwcheck_method" in <tt>/etc/imapd.conf</tt>.
My guess was that slapd would work similarily, passing everything
prefixed with "sasl-" to the library. The fact that I could not find
any other configuration file for libsasl2 mentioned anywhere in
the openldap admin guide (http://www.openldap.org/doc/admin23)
seemed to support this guess. I apologize for having been wrong.
> Look at sasl-secprops; you
> cannot use PLAIN with the default properties.
I never wanted to use PLAIN, this was a test whether the directive
> >I also tried to specify mech_list in a separate per-application config
> >file for the sasl library,
> > /usr/lib/sasl2/slapd.conf
> >but this file does not even get accessed by the server.
> Actually, libsasl2 reads this file automatically, so any valid Cyrus
> SASL configuration directives placed here will be processed.
Thank you for confirming that I guessed at least the name of this
configuration file correctly ;-)
What I was missing was that, even though libsasl2.so is read before
slapd's -r option takes effect, the configuration file is read after
the chroot and thus must be placed inside the jail. It works now.
Timo Felbinger <Timo.Felbinger@physik.uni-potsdam.de>
Quantum Physics Group http://www.quantum.physik.uni-potsdam.de
Institut fuer Physik Tel: +49 331 977 1793 Fax: -1767
Universitaet Potsdam, Germany PGP key-id: E92567B2