On Thu, Sep 22, 2005 at 10:22:10AM -0700, Howard Chu wrote: > > Timo Felbinger wrote: > >Hello, > > > >what is the correct way to specify the list of allowed SASL mechanisms, > >in an OpenLDAP-server using Cyrus-SASL? > > > >The cyrus-sasl documentation mentions the option mech_list, but I cannot > >figure out where and how to specify this. Following some examples I found > >on the net, I tried to include e.g. > > sasl-mech_list: PLAIN > >into my slapd.conf, which I hoped would disable all SASL mechanisms but > >PLAIN, but it didn't have any effect: the server still allowed me to > >authenticate using e.g. EXTERNAL authentication. > > > > Read the slapd.conf(5) manpage. Any directives not mentioned there (like > your made up "sasl-mech_list") are not valid.
It wasn't me who made this up: google "openldap mech_list" will come up with (poorly written?) sample configuration files using this directive; it seems I was not the first one who felt the need for such a directive. My reasoning that this was likely to work was based on cyrus-sasl-2.21.1/doc/sysadmin.html: <cite> Applications can redefine how the SASL library looks for configuration information. Check your application's documentation for specifics. <p>For instance, Cyrus imapd reads its sasl options from it's own configuration file, <tt>/etc/imapd.conf</tt>, by prepending all SASL options with "<tt>sasl_</tt>": the SASL option "pwcheck_method" is set by changing "sasl_pwcheck_method" in <tt>/etc/imapd.conf</tt>. </cite> My guess was that slapd would work similarily, passing everything prefixed with "sasl-" to the library. The fact that I could not find any other configuration file for libsasl2 mentioned anywhere in the openldap admin guide (http://www.openldap.org/doc/admin23) seemed to support this guess. I apologize for having been wrong. > Look at sasl-secprops; you > cannot use PLAIN with the default properties. I never wanted to use PLAIN, this was a test whether the directive worked. > >I also tried to specify mech_list in a separate per-application config > >file for the sasl library, > > /usr/lib/sasl2/slapd.conf > >but this file does not even get accessed by the server. > > > > Actually, libsasl2 reads this file automatically, so any valid Cyrus > SASL configuration directives placed here will be processed. Thank you for confirming that I guessed at least the name of this configuration file correctly ;-) What I was missing was that, even though libsasl2.so is read before slapd's -r option takes effect, the configuration file is read after the chroot and thus must be placed inside the jail. It works now. Greetings, Timo -- Timo Felbinger <[EMAIL PROTECTED]> Quantum Physics Group http://www.quantum.physik.uni-potsdam.de Institut fuer Physik Tel: +49 331 977 1793 Fax: -1767 Universitaet Potsdam, Germany PGP key-id: E92567B2
