Timo Felbinger wrote:
Hello,
what is the correct way to specify the list of allowed SASL mechanisms,
in an OpenLDAP-server using Cyrus-SASL?
The cyrus-sasl documentation mentions the option mech_list, but I cannot
figure out where and how to specify this. Following some examples I found
on the net, I tried to include e.g.
sasl-mech_list: PLAIN
into my slapd.conf, which I hoped would disable all SASL mechanisms but
PLAIN, but it didn't have any effect: the server still allowed me to
authenticate using e.g. EXTERNAL authentication.
Read the slapd.conf(5) manpage. Any directives not mentioned there (like
your made up "sasl-mech_list") are not valid. Look at sasl-secprops; you
cannot use PLAIN with the default properties.
I also tried to specify mech_list in a separate per-application config
file for the sasl library,
/usr/lib/sasl2/slapd.conf
but this file does not even get accessed by the server.
Actually, libsasl2 reads this file automatically, so any valid Cyrus
SASL configuration directives placed here will be processed.
What am I missing here?
And: is there a way to obtain from the server a complete list of
authentication mechanisms which it is willing to accept?
Yes, this is a standard feature of LDAPv3, documented in RFC2252. Read
up on the supportedSASLMechanisms attribute.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
