Red Hat Bugzilla – Bug 206053
FDS should permit configuration of SASL mechanisms
Last modified: 2015-01-04 18:20:51 EST
Description of problem: Fedora Directory Server should permit individual SASL mechanisms to be enabled and disabled. (The inability to do so causes problems for OS X clients, which expect CRAM-MD5 authentication to either work or return a "user not found in database" error.) Version-Release number of selected component (if applicable): 1.0.2 How reproducible: always Steps to Reproduce: 1. Note the list of supportedSASLMechanisms in the root DSE. 2. Check cn=config and the Admin console for a way to change this list. Actual results: Unable to change the list of supportedSASLMechanisms. Expected results: Able to change the list of supportedSASLMechanisms. Additional info:
I think you may be able to do something like this: 1) Create a private sasl directory for the server e.g. mkdir /opt/fedora-ds/slapd-instance/sasl2 2) create symlinks to the sasl plugins in that directory cd /opt/fedora-ds/slapd-instance/sasl2 ; for file in $libdir/sasl2/*.so* ; do ln -s $file done 3) Remove the symlinks for the mechanisms you don't want to support e.g. rm *cram* 4) edit the start-slapd shell script SASL_PATH=/opt/fedora-ds/slapd-instance/sasl2 ; export SASL_PATH 5) restart the directory server If the server can't find the mech plugin, it should not list it.
Rich's suggestion should work fine. There is also another method that should work, although I haven't attempted to use it myself. Cyrus SASL has support for creating an <app>.conf file that allows you to configure what mechanisms the SASL library will support for that given application. We rely on SASL to generate the list of supported mechanisms that are listed in the root DSE, so this would address the problem.
Putting this on the list for the next release.