[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: separate sasl-secprops for different tansports

At 12:49 AM 10/26/2006, Hai Zaar wrote:
>Is there any way to specify sasl-secprops separately for each transport type?
>For ldapi:/// is want "sasl-secprops noanonymous,noplain",
>and "sasl-secprops noanonymous,noplain,noactive" for the rest.


>The idea is to require SASL GSSAPI for everyone with only exception
>for clients connecting via ldapi (like heimdal KDC) - they need SASL

I note that "noactive" doesn't restrict SASL to just GSSAPI.
There are other mechanisms that meet the "noactive" criteria.
(See the Cyrus SASL docs/list.)

I would simply configure Cyrus SASL with support only for
GSSAPI and EXTERNAL (see Cyrus SASL docs/lists for help here).
Assuming you don't provide clients with means to do EXTERNAL
except by ldapi://, then you basically would get what you want.
And if you did provide means for a client to use EXTERNAL by
other means, seems you should consider allowing EXTERNAL through
these other means.

Or you could hack Cyrus SASL so that EXTERNAL is available
when "noactive" is set. (See the Cyrus SASL docs/list.)