This bug is created as a clone of upstream ticket:
In some setups we'll have specific SASL mechs not supported. For example, FreeIPA does not support SASL digest-md5 mech.
When rootDSE advertises this mech because it exists in the list of SASL mechs, client tries to use it and always fails.
We would like to see a method in cn=config to blacklist certain SASL mechs per instance. This is different from ticket #220 in which 389-ds can detect unusable mechs by way of used transport.
moving all ON_QA bugs to MODIFIED in order to add them to the errata (can't add bugs in the ON_QA state to an errata). When the errata is created, the bugs should be automatically moved back to ON_QA.
[root@localhost jrusnack]# ldapsearch -D "cn=directory manager" -w Secret123 -b "cn=config" -s base | grep nsslapd-allowed-sasl-mechanisms
[root@localhost jrusnack]# ldapmodify -D "cn=directory manager" -w Secret123 <<EOF
> dn: cn=config
> changetype: modify
> replace: nsslapd-allowed-sasl-mechanisms
> nsslapd-allowed-sasl-mechanisms: GSSAPI
modifying entry "cn=config"
[root@localhost jrusnack]# ldapsearch -D "cn=directory manager" -w Secret123 -b "cn=config" -s base nsslapd-allowed-sasl-mechanisms
# extended LDIF
# base <cn=config> with scope baseObject
# filter: (objectclass=*)
# requesting: nsslapd-allowed-sasl-mechanisms
# search result
result: 0 Success
# numResponses: 2
# numEntries: 1
Feature is implemented in latest RHEL7 389, testing is yet to be done - bugs in this feature will be filed separately.
This request was resolved in Red Hat Enterprise Linux 7.0.
Contact your manager or support representative in case you have further questions about the request.