I found that the patch I proposed actually threw out the baby with the
bathwater;
rejecting all plugins is inappropriate.
So here is a revised version that only excludes the ldapdb plugin specifically:
diff -brpu openldap-2.4.28-orig/servers/slapd/sasl.c
openldap-2.4.28/servers/slapd/sasl.c
--- openldap-2.4.28-orig/servers/slapd/sasl.c 2011-11-25 19:52:29.000000000
+0100
+++ openldap-2.4.28/servers/slapd/sasl.c 2012-01-02 01:48:58.000000000
+0100
@@ -67,6 +67,24 @@ char *slap_sasl_auxprops;
#ifdef HAVE_CYRUS_SASL
+/* Do not load the ldapdb plugin */
+static int
+slap_sasl_verifyfile(
+ void *context,
+ const char *file,
+ sasl_verify_type_t type)
+{
+ int res = SASL_OK;
+
+ if (type == SASL_VRFY_PLUGIN) {
+ static const char name[] = "libldapdb.so";
+ const char * const p = strstr(file, name);
+ if (p && !strchr(p, '/'))
+ res = SASL_CONTINUE;
+ }
+ return res;
+}
+
/* Just use our internal auxprop by default */
static int
slap_sasl_getopt(
@@ -1111,6 +1129,7 @@ int slap_sasl_init( void )
static sasl_callback_t server_callbacks[] = {
{ SASL_CB_LOG, &slap_sasl_log, NULL },
{ SASL_CB_GETOPT, &slap_sasl_getopt, NULL },
+ { SASL_CB_VERIFYFILE, &slap_sasl_verifyfile, NULL },
{ SASL_CB_LIST_END, NULL, NULL }
};
#endif
