| Summary: | Impossible to configure nsslapd-allowed-sasl-mechanisms | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Ján Rusnačko <jrusnack> |
| Component: | 389-ds-base | Assignee: | mreynolds |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Sankar Ramalingam <sramling> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.0 | CC: | jgalipea, mkubik, mreynolds, nhosoi, nkinder |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | 389-ds-base-1.3.1.6-14.el7 | Doc Type: | Bug Fix |
| Doc Text: |
Cause: Changing the configuration setting did not take effect.
Consequence: Server would not operate as expected, until it was restarted
Fix: Allow the update to be applied dynamically.
Result: The configuration change takes effect immediately.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-13 12:29:52 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Testing and automation is blocked until this bug is fixed. One more case: [jrusnack@dstet ~]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms dn: cn=config nsslapd-allowed-sasl-mechanisms: A B C D [jrusnack@dstet ~]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -b "" -s base supportedSASLMechanisms dn: supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: ANONYMOUS supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: DIGEST-MD5 Upstream ticket: https://fedorahosted.org/389/ticket/47613 Fixed upstream I tried testing the feature with 389-ds-base-1.3.1.6-12.el7. As the upstream patch suggests, the only issue that was addressed was allowing mechanisms to be comma separated. However, some configuration and design issues seems to be not addressed: 1) nsslapd-allowed-sasl-mechanisms can be configured only once. Any subsequent change is accepted but ignored by server. Design document says: "SASL config changes do not require a server restart now. " 2) Setting to "A B C D" has unexpected results: [jrusnack@dstet sasl2]$ ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w Secret123 <<EOF dn: cn=config changetype: modify replace: nsslapd-allowed-sasl-mechanisms nsslapd-allowed-sasl-mechanisms: A B C D EOF modifying entry "cn=config" [jrusnack@dstet sasl2]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -s base -b "" supportedSASLMechanisms dn: supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: ANONYMOUS supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: DIGEST-MD5 3) By default, nsslapd-allowed-sasl-mechanisms is empty and all supported mechanisms are allowed. However, replacing this attribute with empty value seems to blacklist all mechanisms. This might not be problem, but users cannot rely on checking value of nsslapd-allowed-sasl-mechanisms to see whether all are allowed or blacklisted. This inconsistent behavior could be documented or fixed (by enumerating all supported mechs as default value?). (In reply to Ján Rusnačko from comment #10) > I tried testing the feature with 389-ds-base-1.3.1.6-12.el7. As the upstream > patch suggests, the only issue that was addressed was allowing mechanisms to > be comma separated. > > However, some configuration and design issues seems to be not addressed: > > 1) nsslapd-allowed-sasl-mechanisms can be configured only once. Any > subsequent change is accepted but ignored by server. Design document says: > "SASL config changes do not require a server restart now. " I need to look into this. > > 2) Setting to "A B C D" has unexpected results: This is actually a bug in cyrus sasl. IMHO, I don't think we should write code to workaround their bugs. Maybe for now this should just be documented somewhere. > > [jrusnack@dstet sasl2]$ ldapmodify -h localhost -p 22222 -D "cn=directory > manager" -w Secret123 <<EOF > dn: cn=config > changetype: modify > replace: nsslapd-allowed-sasl-mechanisms > nsslapd-allowed-sasl-mechanisms: A B C D > EOF > > modifying entry "cn=config" > > [jrusnack@dstet sasl2]$ ldapsearch -LLL -h localhost -p 22222 -D > "cn=directory manager" -w Secret123 -s base -b "" supportedSASLMechanisms > dn: > supportedSASLMechanisms: EXTERNAL > supportedSASLMechanisms: ANONYMOUS > supportedSASLMechanisms: CRAM-MD5 > supportedSASLMechanisms: DIGEST-MD5 > > 3) By default, nsslapd-allowed-sasl-mechanisms is empty and all supported > mechanisms are allowed. However, replacing this attribute with empty value > seems to blacklist all mechanisms. This might not be problem, but users > cannot rely on checking value of nsslapd-allowed-sasl-mechanisms to see > whether all are allowed or blacklisted. This inconsistent behavior could be > documented or fixed (by enumerating all supported mechs as default value?). The empty value should be addressed/ignored by the server - I'll work on it next. (In reply to mreynolds from comment #11) > (In reply to Ján Rusnačko from comment #10) > > > > 2) Setting to "A B C D" has unexpected results: > > This is actually a bug in cyrus sasl. IMHO, I don't think we should write > code to workaround their bugs. Maybe for now this should just be documented > somewhere. > Please open a bug against the cyrus-sasl component on this as well. (In reply to Nathan Kinder from comment #12) > (In reply to mreynolds from comment #11) > > (In reply to Ján Rusnačko from comment #10) > > > > > > 2) Setting to "A B C D" has unexpected results: > > > > This is actually a bug in cyrus sasl. IMHO, I don't think we should write > > code to workaround their bugs. Maybe for now this should just be documented > > somewhere. > > > > Please open a bug against the cyrus-sasl component on this as well. https://bugzilla.redhat.com/show_bug.cgi?id=1040699 Fixed upstream...(In reply to Ján Rusnačko from comment #10) > I tried testing the feature with 389-ds-base-1.3.1.6-12.el7. As the upstream > patch suggests, the only issue that was addressed was allowing mechanisms to > be comma separated. > > However, some configuration and design issues seems to be not addressed: > > 1) nsslapd-allowed-sasl-mechanisms can be configured only once. Any > subsequent change is accepted but ignored by server. Design document says: > "SASL config changes do not require a server restart now. " This is now fixed upstream. > > 2) Setting to "A B C D" has unexpected results: > > [jrusnack@dstet sasl2]$ ldapmodify -h localhost -p 22222 -D "cn=directory > manager" -w Secret123 <<EOF > dn: cn=config > changetype: modify > replace: nsslapd-allowed-sasl-mechanisms > nsslapd-allowed-sasl-mechanisms: A B C D > EOF > > modifying entry "cn=config" > > [jrusnack@dstet sasl2]$ ldapsearch -LLL -h localhost -p 22222 -D > "cn=directory manager" -w Secret123 -s base -b "" supportedSASLMechanisms > dn: > supportedSASLMechanisms: EXTERNAL > supportedSASLMechanisms: ANONYMOUS > supportedSASLMechanisms: CRAM-MD5 > supportedSASLMechanisms: DIGEST-MD5 Filed a bug against cyrus sasl for this issue. > > 3) By default, nsslapd-allowed-sasl-mechanisms is empty and all supported > mechanisms are allowed. However, replacing this attribute with empty value > seems to blacklist all mechanisms. This might not be problem, but users > cannot rely on checking value of nsslapd-allowed-sasl-mechanisms to see > whether all are allowed or blacklisted. This inconsistent behavior could be > documented or fixed (by enumerating all supported mechs as default value?). This type of update should be rejected. This is now fixed upstream. test coverage (suite/test cases): sasl/sasl_allowed_mapping* DS version: 389-ds-base-1.3.1.6-15 LDAPhost=localhost LDAPport=2222 ROOTDN="cn=directory manager" ROOTDNPW=Secret123 these are valid for all scenarios scenarios 1, 2: commas are replaced by spaces, results are the same ldapmodify -x -h $LDAPhost -p $LDAPport -D "$ROOTDN" -w "$ROOTDNPW" <<EOF dn: cn=config changetype: modify replace: nsslapd-allowed-sasl-mechanisms nsslapd-allowed-sasl-mechanisms: SCRAM-SHA-1 GSSAPI GSS-SPNEGO DIGEST-MD5 CRAM-MD5 LOGIN PLAIN ANONYMOUS EOF ldapsearch -x -h $LDAPhost -p $LDAPport -D "$ROOTDN" -w "$ROOTDNPW" -LLL -s base -b "" supportedSASLMechanisms dn: supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: SCRAM-SHA-1 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: LOGIN supportedSASLMechanisms: PLAIN supportedSASLMechanisms: ANONYMOUS modifying entry "cn=config" ldapsearch -x -h $LDAPhost -p $LDAPport -D "$ROOTDN" -w "$ROOTDNPW" -LLL -s base -b "" supportedSASLMechanisms dn: supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: DIGEST-MD5 ldapsearch -x -h $LDAPhost -p $LDAPport -D "$ROOTDN" -w "$ROOTDNPW" -LLL -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms dn: cn=config nsslapd-allowed-sasl-mechanisms: GSSAPI DIGEST-MD5 scenarios 3, 4: ldapmodify -x -h $LDAPhost -p $LDAPport -D "$ROOTDN" -w "$ROOTDNPW" <<EOF dn: cn=config changetype: modify replace: nsslapd-allowed-sasl-mechanisms nsslapd-allowed-sasl-mechanisms: PLAIN ANONYMOUS EOF ldapsearch -x -h $LDAPhost -p $LDAPport -D "$ROOTDN" -w "$ROOTDNPW" -LLL -s base -b "" supportedSASLMechanisms dn: supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: PLAIN supportedSASLMechanisms: ANONYMOUS ldapmodify -x -h $LDAPhost -p $LDAPport -D "$ROOTDN" -w "$ROOTDNPW" <<EOF dn: cn=config changetype: modify replace: nsslapd-allowed-sasl-mechanisms nsslapd-allowed-sasl-mechanisms: GSSAPI DIGEST-MD5 EOF ldapsearch -x -h $LDAPhost -p $LDAPport -D "$ROOTDN" -w "$ROOTDNPW" -LLL -s base -b "" supportedSASLMechanisms dn: supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: DIGEST-MD5 ldapsearch -x -h $LDAPhost -p $LDAPport -D "$ROOTDN" -w "$ROOTDNPW" -LLL -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms dn: cn=config nsslapd-allowed-sasl-mechanisms: GSSAPI DIGEST-MD5 scenario 5: https://bugzilla.redhat.com/show_bug.cgi?id=1034739#c11 ldapmodify -x -h $LDAPhost -p $LDAPport -D "$ROOTDN" -w "$ROOTDNPW" <<EOF dn: cn=config changetype: modify replace: nsslapd-allowed-sasl-mechanisms nsslapd-allowed-sasl-mechanisms: EOF modifying entry "cn=config" ldap_modify: Server is unwilling to perform (53) ldapmodify -x -h $LDAPhost -p $LDAPport -D "$ROOTDN" -w "$ROOTDNPW" <<EOF dn: cn=config changetype: modify delete: nsslapd-allowed-sasl-mechanisms EOF modifying entry "cn=config" ldap_modify: Server is unwilling to perform (53) additional info: Deleting attributes is not allowed This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |
Description of problem: New feature allows administrator to configure DS to allow/forbit certain SASL mechanisms. These mechanisms are advertised in RootDSE. According to the design document: "Using the new configuration attribute "nsslapd-allowed-sasl-mechanisms", specify the list the mechanisms you wish to allow. Each mechanism can separated by commas or spaces. This setting does not require a server restart to take effect. " I consider 5 scenarios. Before each DS was freshly installed. Scenario 1: Try setting all mechanisms separated by comma, then try to allow only 2 of them Result: Only EXTERNAL and ANONYMOUS are set, change is silently ignored Scenario 2: Try setting all mechanisms separated by space, then try to allow only 2 of them Result: All mechanisms are accepted correctly, any subsequent change is silently ignored Scenario 3: Try setting just 2 allowed mechanisms with commas, try replacing them with some others Result: I tried setting SCRAM-SHA-1 and GSSAPI, but RootDSE advertised EXTERNAL and GSSAPI, subsequent changes are silently ignored Scenario 4 Try setting just 2 allowed mechanisms without commas, try replacing them with some others Result: I tried setting SCRAM-SHA-1 and GSSAPI, but RootDSE advertised EXTERNAL, SCRAM-SHA-1 and GSSAPI Scenario 5: Replace empty nsslapd-allowed-sasl-mechanisms with empty value Result: Only EXTERNAL is advertised by RootDSE Version-Release number of selected component (if applicable): 389-ds-base-1.3.1.6-8.el7.x86_64 How reproducible: always Steps to Reproduce: SCENARIO 1: # Try setting all mechanisms separated by commas [jrusnack@dstet 6.0]$ ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w Secret123 <<EOF > dn: cn=config > changetype: modify > replace: nsslapd-allowed-sasl-mechanisms > nsslapd-allowed-sasl-mechanisms: EXTERNAL, SCRAM-SHA-1, GSSAPI, GSS-SPNEGO, DIGEST-MD5, CRAM-MD5, LOGIN, PLAIN, ANONYMOUS > EOF modifying entry "cn=config" # Check values of supportedSASLMechanisms and nsslapd-allowed-sasl-mechanisms [jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -b "" -s base supportedSASLMechanisms dn: supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: ANONYMOUS [jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms dn: cn=config nsslapd-allowed-sasl-mechanisms: EXTERNAL, SCRAM-SHA-1, GSSAPI, GSS-SPNEGO, DI GEST-MD5, CRAM-MD5, LOGIN, PLAIN, ANONYMOUS # Try changing to some other value [jrusnack@dstet 6.0]$ ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w Secret123 <<EOF dn: cn=config changetype: modify replace: nsslapd-allowed-sasl-mechanisms nsslapd-allowed-sasl-mechanisms: SCRAM-SHA-1 GSSAPI EOF modifying entry "cn=config" # Change is ignored [jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms dn: cn=config nsslapd-allowed-sasl-mechanisms: EXTERNAL, SCRAM-SHA-1, GSSAPI, GSS-SPNEGO, DI GEST-MD5, CRAM-MD5, LOGIN, PLAIN, ANONYMOUS [jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -b "" -s base supportedSASLMechanisms dn: supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: ANONYMOUS SCENARIO 2: # Try setting all mechanisms separated by space [jrusnack@dstet 6.0]$ ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w Secret123 <<EOF dn: cn=config changetype: modify replace: nsslapd-allowed-sasl-mechanisms nsslapd-allowed-sasl-mechanisms: EXTERNAL SCRAM-SHA-1 GSSAPI GSS-SPNEGO DIGEST-MD5 CRAM-MD5 LOGIN PLAIN ANONYMOUS EOF modifying entry "cn=config" # Check values of supportedSASLMechanisms and nsslapd-allowed-sasl-mechanisms [jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -b "" -s base supportedSASLMechanisms dn: supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: SCRAM-SHA-1 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: LOGIN supportedSASLMechanisms: PLAIN supportedSASLMechanisms: ANONYMOUS [jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms dn: cn=config nsslapd-allowed-sasl-mechanisms: EXTERNAL SCRAM-SHA-1 GSSAPI GSS-SPNEGO DIGEST -MD5 CRAM-MD5 LOGIN PLAIN ANONYMOUS # Try changing to some other value [jrusnack@dstet 6.0]$ ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w Secret123 <<EOF dn: cn=config changetype: modify replace: nsslapd-allowed-sasl-mechanisms nsslapd-allowed-sasl-mechanisms: SCRAM-SHA-1 GSSAPI EOF modifying entry "cn=config" # Change is accepted but ignored [jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms dn: cn=config nsslapd-allowed-sasl-mechanisms: EXTERNAL SCRAM-SHA-1 GSSAPI GSS-SPNEGO DIGEST -MD5 CRAM-MD5 LOGIN PLAIN ANONYMOUS [jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -b "" -s base supportedSASLMechanisms dn: supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: SCRAM-SHA-1 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: LOGIN supportedSASLMechanisms: PLAIN supportedSASLMechanisms: ANONYMOUS SCENARIO 3: # Try setting some values separated by commas [jrusnack@dstet 6.0]$ ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w Secret123 <<EOF dn: cn=config changetype: modify replace: nsslapd-allowed-sasl-mechanisms nsslapd-allowed-sasl-mechanisms: SCRAM-SHA-1, GSSAPI EOF modifying entry "cn=config" [jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms dn: cn=config nsslapd-allowed-sasl-mechanisms: SCRAM-SHA-1, GSSAPI # External shouldn`t be here, SCRAM-SHA-1 is missing [jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -b "" -s base supportedSASLMechanisms dn: supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: GSSAPI # Try changing to some other values [jrusnack@dstet 6.0]$ ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w Secret123 <<EOF dn: cn=config changetype: modify replace: nsslapd-allowed-sasl-mechanisms nsslapd-allowed-sasl-mechanisms: SCRAM-SHA-1, GSSAPI, DIGEST-MD5 EOF modifying entry "cn=config" # Ignored [jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms dn: cn=config nsslapd-allowed-sasl-mechanisms: SCRAM-SHA-1, GSSAPI [jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -b "" -s base supportedSASLMechanisms dn: supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: GSSAPI SCENARIO 4: # Try setting values separated by spaces [jrusnack@dstet 6.0]$ ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w Secret123 <<EOF dn: cn=config changetype: modify replace: nsslapd-allowed-sasl-mechanisms nsslapd-allowed-sasl-mechanisms: SCRAM-SHA-1 GSSAPI EOF modifying entry "cn=config" # External shouldn`t be here [jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -b "" -s base supportedSASLMechanisms dn: supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: SCRAM-SHA-1 supportedSASLMechanisms: GSSAPI [jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms dn: cn=config nsslapd-allowed-sasl-mechanisms: SCRAM-SHA-1 GSSAPI # Try changing to some other value [jrusnack@dstet 6.0]$ ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w Secret123 <<EOF dn: cn=config changetype: modify replace: nsslapd-allowed-sasl-mechanisms nsslapd-allowed-sasl-mechanisms: DIGEST-MD5 GSS-SPNEGO EOF modifying entry "cn=config" # Ignored [jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -b "" -s base supportedSASLMechanisms dn: supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: SCRAM-SHA-1 supportedSASLMechanisms: GSSAPI [jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms dn: cn=config nsslapd-allowed-sasl-mechanisms: SCRAM-SHA-1 GSSAPI SCENARIO 5: # Check which mechanisms are adversited, when nsslapd-allowed-sasl-mechanisms is empty [jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -b "" -s base supportedSASLMechanisms dn: supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: SCRAM-SHA-1 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: LOGIN supportedSASLMechanisms: PLAIN supportedSASLMechanisms: ANONYMOUS [jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms dn: cn=config nsslapd-allowed-sasl-mechanisms: # Set nsslapd-allowed-sasl-mechanisms to empty value [jrusnack@dstet 6.0]$ ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w Secret123 <<EOF dn: cn=config changetype: modify replace: nsslapd-allowed-sasl-mechanisms nsslapd-allowed-sasl-mechanisms: EOF modifying entry "cn=config" [jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms dn: cn=config nsslapd-allowed-sasl-mechanisms: # Only EXTERNAL is advertised [jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -b "" -s base supportedSASLMechanisms dn: supportedSASLMechanisms: EXTERNAL