Red Hat Bugzilla – Bug 206053
FDS should permit configuration of SASL mechanisms
Last modified: 2015-01-04 18:20:51 EST
Description of problem:
Fedora Directory Server should permit individual SASL mechanisms to be enabled
and disabled. (The inability to do so causes problems for OS X clients, which
expect CRAM-MD5 authentication to either work or return a "user not found in
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Note the list of supportedSASLMechanisms in the root DSE.
2. Check cn=config and the Admin console for a way to change this list.
Unable to change the list of supportedSASLMechanisms.
Able to change the list of supportedSASLMechanisms.
I think you may be able to do something like this:
1) Create a private sasl directory for the server e.g.
2) create symlinks to the sasl plugins in that directory
cd /opt/fedora-ds/slapd-instance/sasl2 ; for file in $libdir/sasl2/*.so* ; do
ln -s $file
3) Remove the symlinks for the mechanisms you don't want to support e.g.
4) edit the start-slapd shell script
SASL_PATH=/opt/fedora-ds/slapd-instance/sasl2 ; export SASL_PATH
5) restart the directory server
If the server can't find the mech plugin, it should not list it.
Rich's suggestion should work fine. There is also another method that should
work, although I haven't attempted to use it myself. Cyrus SASL has support for
creating an <app>.conf file that allows you to configure what mechanisms the
SASL library will support for that given application. We rely on SASL to
generate the list of supported mechanisms that are listed in the root DSE, so
this would address the problem.
Putting this on the list for the next release.