Francesco Grossi wrote:
I've set up my prototype mechanism xmech (by writing xmech.c and
xmech_init.c and creating libxmech.so & libxmech.la) and call it by the
sample SASL Cyrus client and server so that client.c and server.c seem
working fine (referencing -m x) when used alone: I've
logged callback functions of my xmech.c and the following is recorded during
login phase:
xmech_client_plug_init
xmech_client_mech_new
xmech_client_mech_step
xmech_server_mech_new
xmech_server_mech_step
xmech_server_mech_step.
here's my problem:
How can I instruct OpenLpap to call SASL and my xmech mechanism. When I log
into OpenLDAP the native authentication takes place. How can I make OpenLDAP
route authentication towards SALS (and SASL towards xmech)?
I've benn through some web pages and got out something about slapd.conf and
its sasl parameters, sasl-regexp in particular.
You can restrict which mechanisms are offered by configuring sasl_mech
in your sasl slapd.conf (not to be confused with the OpenLDAP slapd.conf
configuration file).
The default location for that file is in /usr/lib/sasl2/. It should be
the location that was specified with the --with-configdir configure
option when you compiled sasl.
The following would restrict your offered mechanims to xmech:
sasl_mech: xmech
However, if not specified, it should offer all installed mechanisms. I'd
recommend running 'pluginviewer' on the server and client systems to
verify the mechanism got installed. Also, you can do:
ldapsearch -x -H ldap://ldap.example.com -LLL -s "base" -b ""
supportedSASLMechanisms
to find out if the server is offering the mechanism.
You can force ldapsearch to use a specific mechanism with the '-Y'
option, or you can specify it in ~/.ldaprc (see man ldap.conf):
SASL_MECH xmech
Do not specify '-x' in your ldapsearch to force it to use SASL.
- Dan