1034739 – Impossible to configure nsslapd-allowed-sasl-mechanisms

Bug 1034739 - Impossible to configure nsslapd-allowed-sasl-mechanisms

Summary: Impossible to configure nsslapd-allowed-sasl-mechanisms

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	389-ds-base
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	mreynolds
QA Contact:	Sankar Ramalingam
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-11-26 12:25 UTC by Ján Rusnačko
Modified:	2020-09-13 20:51 UTC (History)
CC List:	5 users (show)
Fixed In Version:	389-ds-base-1.3.1.6-14.el7
Doc Type:	Bug Fix
Doc Text:	Cause: Changing the configuration setting did not take effect. Consequence: Server would not operate as expected, until it was restarted Fix: Allow the update to be applied dynamically. Result: The configuration change takes effect immediately.
Clone Of:
Environment:
Last Closed:	2014-06-13 12:29:52 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	389ds 389-ds-base issues 950	0	None	closed	Impossible to configure nsslapd-allowed-sasl-mechanisms	2021-02-09 13:33:53 UTC

Description Ján Rusnačko 2013-11-26 12:25:13 UTC

Description of problem:
New feature allows administrator to configure DS to allow/forbit certain SASL mechanisms. These mechanisms are advertised in RootDSE.

According to the design document:
"Using the new configuration attribute "nsslapd-allowed-sasl-mechanisms", specify the list the mechanisms you wish to allow. Each mechanism can separated by commas or spaces.

This setting does not require a server restart to take effect. "

I consider 5 scenarios. Before each DS was freshly installed. 

Scenario 1: Try setting all mechanisms separated by comma, then try to allow only 2 of them
Result: Only EXTERNAL and ANONYMOUS are set, change is silently ignored

Scenario 2: Try setting all mechanisms separated by space, then try to allow only 2 of them
Result: All mechanisms are accepted correctly, any subsequent change is silently ignored

Scenario 3: Try setting just 2 allowed mechanisms with commas, try replacing them with some others
Result: I tried setting SCRAM-SHA-1 and GSSAPI, but RootDSE advertised EXTERNAL and GSSAPI, subsequent changes are silently ignored

Scenario 4 Try setting just 2 allowed mechanisms without commas, try replacing them with some others
Result: I tried setting SCRAM-SHA-1 and GSSAPI, but RootDSE advertised EXTERNAL, SCRAM-SHA-1 and GSSAPI

Scenario 5: Replace empty nsslapd-allowed-sasl-mechanisms with empty value
Result: Only EXTERNAL is advertised by RootDSE

Version-Release number of selected component (if applicable):
389-ds-base-1.3.1.6-8.el7.x86_64

How reproducible:
always

Steps to Reproduce:

SCENARIO 1:

# Try setting all mechanisms separated by commas
[jrusnack@dstet 6.0]$ ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w Secret123 <<EOF
> dn: cn=config
> changetype: modify
> replace: nsslapd-allowed-sasl-mechanisms
> nsslapd-allowed-sasl-mechanisms: EXTERNAL, SCRAM-SHA-1, GSSAPI, GSS-SPNEGO, DIGEST-MD5, CRAM-MD5, LOGIN, PLAIN, ANONYMOUS
> EOF
modifying entry "cn=config"

# Check values of supportedSASLMechanisms and nsslapd-allowed-sasl-mechanisms
[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -b "" -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: ANONYMOUS

[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms
dn: cn=config
nsslapd-allowed-sasl-mechanisms: EXTERNAL, SCRAM-SHA-1, GSSAPI, GSS-SPNEGO, DI
 GEST-MD5, CRAM-MD5, LOGIN, PLAIN, ANONYMOUS

# Try changing to some other value
[jrusnack@dstet 6.0]$ ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w Secret123 <<EOF
dn: cn=config
changetype: modify
replace: nsslapd-allowed-sasl-mechanisms
nsslapd-allowed-sasl-mechanisms: SCRAM-SHA-1 GSSAPI
EOF

modifying entry "cn=config"

# Change is ignored
[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms
dn: cn=config
nsslapd-allowed-sasl-mechanisms: EXTERNAL, SCRAM-SHA-1, GSSAPI, GSS-SPNEGO, DI
 GEST-MD5, CRAM-MD5, LOGIN, PLAIN, ANONYMOUS

[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -b "" -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: ANONYMOUS

SCENARIO 2:

# Try setting all mechanisms separated by space
[jrusnack@dstet 6.0]$ ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w Secret123 <<EOF
dn: cn=config
changetype: modify
replace: nsslapd-allowed-sasl-mechanisms
nsslapd-allowed-sasl-mechanisms: EXTERNAL SCRAM-SHA-1 GSSAPI GSS-SPNEGO DIGEST-MD5 CRAM-MD5 LOGIN PLAIN ANONYMOUS
EOF

modifying entry "cn=config"


# Check values of supportedSASLMechanisms and nsslapd-allowed-sasl-mechanisms
[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -b "" -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: SCRAM-SHA-1
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: ANONYMOUS

[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms
dn: cn=config
nsslapd-allowed-sasl-mechanisms: EXTERNAL SCRAM-SHA-1 GSSAPI GSS-SPNEGO DIGEST
 -MD5 CRAM-MD5 LOGIN PLAIN ANONYMOUS

# Try changing to some other value
[jrusnack@dstet 6.0]$ ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w Secret123 <<EOF
dn: cn=config
changetype: modify
replace: nsslapd-allowed-sasl-mechanisms
nsslapd-allowed-sasl-mechanisms: SCRAM-SHA-1 GSSAPI
EOF
modifying entry "cn=config"

# Change is accepted but ignored
[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms
dn: cn=config
nsslapd-allowed-sasl-mechanisms: EXTERNAL SCRAM-SHA-1 GSSAPI GSS-SPNEGO DIGEST
 -MD5 CRAM-MD5 LOGIN PLAIN ANONYMOUS

[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -b "" -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: SCRAM-SHA-1
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: ANONYMOUS

SCENARIO 3:

# Try setting some values separated by commas
[jrusnack@dstet 6.0]$ ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w Secret123 <<EOF
dn: cn=config
changetype: modify
replace: nsslapd-allowed-sasl-mechanisms
nsslapd-allowed-sasl-mechanisms: SCRAM-SHA-1, GSSAPI
EOF

modifying entry "cn=config"

[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms
dn: cn=config
nsslapd-allowed-sasl-mechanisms: SCRAM-SHA-1, GSSAPI

# External shouldn`t be here, SCRAM-SHA-1 is missing
[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -b "" -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: GSSAPI

# Try changing to some other values
[jrusnack@dstet 6.0]$ ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w Secret123 <<EOF
dn: cn=config
changetype: modify
replace: nsslapd-allowed-sasl-mechanisms
nsslapd-allowed-sasl-mechanisms: SCRAM-SHA-1, GSSAPI, DIGEST-MD5
EOF

modifying entry "cn=config"

# Ignored
[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms
dn: cn=config
nsslapd-allowed-sasl-mechanisms: SCRAM-SHA-1, GSSAPI

[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -b "" -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: GSSAPI

SCENARIO 4:

# Try setting values separated by spaces
[jrusnack@dstet 6.0]$ ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w Secret123 <<EOF
dn: cn=config
changetype: modify
replace: nsslapd-allowed-sasl-mechanisms
nsslapd-allowed-sasl-mechanisms: SCRAM-SHA-1 GSSAPI
EOF

modifying entry "cn=config"

# External shouldn`t be here
[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -b "" -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: SCRAM-SHA-1
supportedSASLMechanisms: GSSAPI

[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms
dn: cn=config
nsslapd-allowed-sasl-mechanisms: SCRAM-SHA-1 GSSAPI

# Try changing to some other value
[jrusnack@dstet 6.0]$ ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w Secret123 <<EOF
dn: cn=config
changetype: modify
replace: nsslapd-allowed-sasl-mechanisms
nsslapd-allowed-sasl-mechanisms: DIGEST-MD5 GSS-SPNEGO
EOF

modifying entry "cn=config"

# Ignored
[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -b "" -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: SCRAM-SHA-1
supportedSASLMechanisms: GSSAPI

[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms
dn: cn=config
nsslapd-allowed-sasl-mechanisms: SCRAM-SHA-1 GSSAPI

SCENARIO 5:

# Check which mechanisms are adversited, when nsslapd-allowed-sasl-mechanisms is empty
[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -b "" -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: SCRAM-SHA-1
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: ANONYMOUS

[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms
dn: cn=config
nsslapd-allowed-sasl-mechanisms:

# Set nsslapd-allowed-sasl-mechanisms to empty value
[jrusnack@dstet 6.0]$ ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w Secret123 <<EOF
dn: cn=config
changetype: modify
replace: nsslapd-allowed-sasl-mechanisms
nsslapd-allowed-sasl-mechanisms: 
EOF
modifying entry "cn=config"

[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms
dn: cn=config
nsslapd-allowed-sasl-mechanisms:

# Only EXTERNAL is advertised
[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -b "" -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: EXTERNAL

Comment 2 Jenny Severance 2013-11-26 15:15:48 UTC

Testing and automation is blocked until this bug is fixed.

Comment 6 Ján Rusnačko 2013-11-26 21:05:52 UTC

One more case:

[jrusnack@dstet ~]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms
dn: cn=config
nsslapd-allowed-sasl-mechanisms: A B C D

[jrusnack@dstet ~]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -b "" -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: ANONYMOUS
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: DIGEST-MD5

Comment 7 Nathan Kinder 2013-12-02 15:38:34 UTC

Upstream ticket:
https://fedorahosted.org/389/ticket/47613

Comment 8 mreynolds 2013-12-03 20:56:24 UTC

Fixed upstream

Comment 10 Ján Rusnačko 2013-12-11 21:33:00 UTC

I tried testing the feature with 389-ds-base-1.3.1.6-12.el7. As the upstream patch suggests, the only issue that was addressed was allowing mechanisms to be comma separated. 

However, some configuration and design issues seems to be not addressed:

1) nsslapd-allowed-sasl-mechanisms can be configured only once. Any subsequent change is accepted but ignored by server. Design document says: "SASL config changes do not require a server restart now. "

2) Setting to "A B C D" has unexpected results:

[jrusnack@dstet sasl2]$ ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w Secret123 <<EOF
dn: cn=config
changetype: modify
replace: nsslapd-allowed-sasl-mechanisms
nsslapd-allowed-sasl-mechanisms: A B C D   
EOF

modifying entry "cn=config"

[jrusnack@dstet sasl2]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -s base -b "" supportedSASLMechanisms
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: ANONYMOUS
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: DIGEST-MD5

3) By default, nsslapd-allowed-sasl-mechanisms is empty and all supported mechanisms are allowed. However, replacing this attribute with empty value seems to blacklist all mechanisms. This might not be problem, but users cannot rely on checking value of nsslapd-allowed-sasl-mechanisms to see whether all are allowed or blacklisted. This inconsistent behavior could be documented or fixed (by enumerating all supported mechs as default value?).

Comment 11 mreynolds 2013-12-11 21:49:07 UTC

(In reply to Ján Rusnačko from comment #10)
> I tried testing the feature with 389-ds-base-1.3.1.6-12.el7. As the upstream
> patch suggests, the only issue that was addressed was allowing mechanisms to
> be comma separated. 
> 
> However, some configuration and design issues seems to be not addressed:
> 
> 1) nsslapd-allowed-sasl-mechanisms can be configured only once. Any
> subsequent change is accepted but ignored by server. Design document says:
> "SASL config changes do not require a server restart now. "

I need to look into this.

> 
> 2) Setting to "A B C D" has unexpected results:

This is actually a bug in cyrus sasl.  IMHO, I don't think we should write code to workaround their bugs.  Maybe for now this should just be documented somewhere.

> 
> [jrusnack@dstet sasl2]$ ldapmodify -h localhost -p 22222 -D "cn=directory
> manager" -w Secret123 <<EOF
> dn: cn=config
> changetype: modify
> replace: nsslapd-allowed-sasl-mechanisms
> nsslapd-allowed-sasl-mechanisms: A B C D   
> EOF
> 
> modifying entry "cn=config"
> 
> [jrusnack@dstet sasl2]$ ldapsearch -LLL -h localhost -p 22222 -D
> "cn=directory manager" -w Secret123 -s base -b "" supportedSASLMechanisms
> dn:
> supportedSASLMechanisms: EXTERNAL
> supportedSASLMechanisms: ANONYMOUS
> supportedSASLMechanisms: CRAM-MD5
> supportedSASLMechanisms: DIGEST-MD5
> 
> 3) By default, nsslapd-allowed-sasl-mechanisms is empty and all supported
> mechanisms are allowed. However, replacing this attribute with empty value
> seems to blacklist all mechanisms. This might not be problem, but users
> cannot rely on checking value of nsslapd-allowed-sasl-mechanisms to see
> whether all are allowed or blacklisted. This inconsistent behavior could be
> documented or fixed (by enumerating all supported mechs as default value?).

The empty value should be addressed/ignored by the server - I'll work on it next.

Comment 12 Nathan Kinder 2013-12-11 22:04:13 UTC

(In reply to mreynolds from comment #11)
> (In reply to Ján Rusnačko from comment #10) 
> > 
> > 2) Setting to "A B C D" has unexpected results:
> 
> This is actually a bug in cyrus sasl.  IMHO, I don't think we should write
> code to workaround their bugs.  Maybe for now this should just be documented
> somewhere.
> 

Please open a bug against the cyrus-sasl component on this as well.

Comment 13 mreynolds 2013-12-11 22:43:50 UTC

(In reply to Nathan Kinder from comment #12)
> (In reply to mreynolds from comment #11)
> > (In reply to Ján Rusnačko from comment #10) 
> > > 
> > > 2) Setting to "A B C D" has unexpected results:
> > 
> > This is actually a bug in cyrus sasl.  IMHO, I don't think we should write
> > code to workaround their bugs.  Maybe for now this should just be documented
> > somewhere.
> > 
> 
> Please open a bug against the cyrus-sasl component on this as well.

https://bugzilla.redhat.com/show_bug.cgi?id=1040699

Comment 14 mreynolds 2013-12-12 21:14:49 UTC

Fixed upstream...(In reply to Ján Rusnačko from comment #10)
> I tried testing the feature with 389-ds-base-1.3.1.6-12.el7. As the upstream
> patch suggests, the only issue that was addressed was allowing mechanisms to
> be comma separated. 
> 
> However, some configuration and design issues seems to be not addressed:
> 
> 1) nsslapd-allowed-sasl-mechanisms can be configured only once. Any
> subsequent change is accepted but ignored by server. Design document says:
> "SASL config changes do not require a server restart now. "

This is now fixed upstream.

> 
> 2) Setting to "A B C D" has unexpected results:
> 
> [jrusnack@dstet sasl2]$ ldapmodify -h localhost -p 22222 -D "cn=directory
> manager" -w Secret123 <<EOF
> dn: cn=config
> changetype: modify
> replace: nsslapd-allowed-sasl-mechanisms
> nsslapd-allowed-sasl-mechanisms: A B C D   
> EOF
> 
> modifying entry "cn=config"
> 
> [jrusnack@dstet sasl2]$ ldapsearch -LLL -h localhost -p 22222 -D
> "cn=directory manager" -w Secret123 -s base -b "" supportedSASLMechanisms
> dn:
> supportedSASLMechanisms: EXTERNAL
> supportedSASLMechanisms: ANONYMOUS
> supportedSASLMechanisms: CRAM-MD5
> supportedSASLMechanisms: DIGEST-MD5

Filed a bug against cyrus sasl for this issue.

> 
> 3) By default, nsslapd-allowed-sasl-mechanisms is empty and all supported
> mechanisms are allowed. However, replacing this attribute with empty value
> seems to blacklist all mechanisms. This might not be problem, but users
> cannot rely on checking value of nsslapd-allowed-sasl-mechanisms to see
> whether all are allowed or blacklisted. This inconsistent behavior could be
> documented or fixed (by enumerating all supported mechs as default value?).

This type of update should be rejected.  This is now fixed upstream.

Comment 15 Milan Kubík 2014-01-29 14:39:31 UTC

test coverage (suite/test cases): sasl/sasl_allowed_mapping*
DS version: 389-ds-base-1.3.1.6-15

LDAPhost=localhost
LDAPport=2222
ROOTDN="cn=directory manager"
ROOTDNPW=Secret123

these are valid for all scenarios

scenarios 1, 2:
commas are replaced by spaces, results are the same

ldapmodify -x -h $LDAPhost -p $LDAPport -D "$ROOTDN" -w "$ROOTDNPW" <<EOF
dn: cn=config
changetype: modify
replace: nsslapd-allowed-sasl-mechanisms
nsslapd-allowed-sasl-mechanisms: SCRAM-SHA-1 GSSAPI GSS-SPNEGO DIGEST-MD5 CRAM-MD5 LOGIN PLAIN ANONYMOUS
EOF

ldapsearch -x -h $LDAPhost -p $LDAPport -D "$ROOTDN" -w "$ROOTDNPW" -LLL -s base -b "" supportedSASLMechanisms
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: SCRAM-SHA-1
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: ANONYMOUS

modifying entry "cn=config"

ldapsearch -x -h $LDAPhost -p $LDAPport -D "$ROOTDN" -w "$ROOTDNPW" -LLL -s base -b "" supportedSASLMechanisms
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5

ldapsearch -x -h $LDAPhost -p $LDAPport -D "$ROOTDN" -w "$ROOTDNPW" -LLL -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms
dn: cn=config
nsslapd-allowed-sasl-mechanisms: GSSAPI DIGEST-MD5


scenarios 3, 4:

ldapmodify -x -h $LDAPhost -p $LDAPport -D "$ROOTDN" -w "$ROOTDNPW" <<EOF
dn: cn=config
changetype: modify
replace: nsslapd-allowed-sasl-mechanisms
nsslapd-allowed-sasl-mechanisms: PLAIN ANONYMOUS
EOF

ldapsearch -x -h $LDAPhost -p $LDAPport -D "$ROOTDN" -w "$ROOTDNPW" -LLL -s base -b "" supportedSASLMechanisms
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: ANONYMOUS

ldapmodify -x -h $LDAPhost -p $LDAPport -D "$ROOTDN" -w "$ROOTDNPW" <<EOF
dn: cn=config
changetype: modify
replace: nsslapd-allowed-sasl-mechanisms
nsslapd-allowed-sasl-mechanisms: GSSAPI DIGEST-MD5
EOF

ldapsearch -x -h $LDAPhost -p $LDAPport -D "$ROOTDN" -w "$ROOTDNPW" -LLL -s base -b "" supportedSASLMechanisms
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5

ldapsearch -x -h $LDAPhost -p $LDAPport -D "$ROOTDN" -w "$ROOTDNPW" -LLL -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms
dn: cn=config
nsslapd-allowed-sasl-mechanisms: GSSAPI DIGEST-MD5

scenario 5:
https://bugzilla.redhat.com/show_bug.cgi?id=1034739#c11

ldapmodify -x -h $LDAPhost -p $LDAPport -D "$ROOTDN" -w "$ROOTDNPW" <<EOF
dn: cn=config
changetype: modify
replace: nsslapd-allowed-sasl-mechanisms
nsslapd-allowed-sasl-mechanisms: 
EOF

modifying entry "cn=config"
ldap_modify: Server is unwilling to perform (53)


ldapmodify -x -h $LDAPhost -p $LDAPport -D "$ROOTDN" -w "$ROOTDNPW" <<EOF
dn: cn=config
changetype: modify
delete: nsslapd-allowed-sasl-mechanisms
EOF

modifying entry "cn=config"
ldap_modify: Server is unwilling to perform (53)
        additional info: Deleting attributes is not allowed

Comment 16 Ludek Smid 2014-06-13 12:29:52 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.