Bug 206053 - FDS should permit configuration of SASL mechanisms
FDS should permit configuration of SASL mechanisms
Product: 389
Classification: Community
Component: Security - SASL (Show other bugs)
All Linux
medium Severity low
: ---
: ---
Assigned To: Nathan Kinder
Chandrasekar Kannan
Depends On:
Blocks: 389_1.3.0 512820
  Show dependency treegraph
Reported: 2006-09-11 14:37 EDT by Josh Kelley
Modified: 2015-01-04 18:20 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-04-04 16:47:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Josh Kelley 2006-09-11 14:37:08 EDT
Description of problem:

Fedora Directory Server should permit individual SASL mechanisms to be enabled
and disabled.  (The inability to do so causes problems for OS X clients, which
expect CRAM-MD5 authentication to either work or return a "user not found in
database" error.)

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Note the list of supportedSASLMechanisms in the root DSE.
2. Check cn=config and the Admin console for a way to change this list.
Actual results:
Unable to change the list of supportedSASLMechanisms.

Expected results:
Able to change the list of supportedSASLMechanisms.

Additional info:
Comment 1 Rich Megginson 2007-10-05 12:08:02 EDT
I think you may be able to do something like this:
1) Create a private sasl directory for the server e.g.
 mkdir /opt/fedora-ds/slapd-instance/sasl2
2) create symlinks to the sasl plugins in that directory
 cd /opt/fedora-ds/slapd-instance/sasl2 ; for file in $libdir/sasl2/*.so* ; do
   ln -s $file
3) Remove the symlinks for the mechanisms you don't want to support e.g.
 rm *cram*
4) edit the start-slapd shell script
 SASL_PATH=/opt/fedora-ds/slapd-instance/sasl2 ; export SASL_PATH
5) restart the directory server

If the server can't find the mech plugin, it should not list it.
Comment 2 Nathan Kinder 2007-10-05 13:23:39 EDT
Rich's suggestion should work fine.  There is also another method that should
work, although I haven't attempted to use it myself.  Cyrus SASL has support for
creating an <app>.conf file that allows you to configure what mechanisms the
SASL library will support for that given application.  We rely on SASL to
generate the list of supported mechanisms that are listed in the root DSE, so
this would address the problem.
Comment 3 Rich Megginson 2009-04-09 12:55:34 EDT
Putting this on the list for the next release.

Note You need to log in before you can comment on or make changes to this bug.