how to set the default SASL auth mech

Question

how to set the default SASL auth mech

Does any body know how I can set the default SASL auth mechanism? I can currentlly authenticate to slapd only when requesting manualy CRAM-MD5 and I would very much like to set that as the default. In a non-macosx server environment creating a
/usr/lib/sasl2/[service_name].conf
file and putting in
'mech_list: CRAM-MD5'
solves the issue, but on macos x server it doesnt really help. I'm not sure if this is the correct file at all.
(situation described in detail hre: http://discussions.apple.com/thread.jspa?threadID=894046&tstart=0)

Xserve G4 Mac OS X (10.4.9)

Xserve G4, Mac OS X (10.4.8)

Posted on Mar 23, 2007 2:59 AM

Reply

Answer 1

Mar 23, 2007 3:21 AM in response to Ivailo Djilianov

Use ldap.conf on the requesting client. afair it should live in /etc/openldap/ldap.conf. Messing with /usr/lib/sasl2/[service_name].conf is not appropiate in your scenario </guessing mode>.

See man ldap.conf

HTH

-Ralph

Reply

Answer 2

Mar 23, 2007 6:10 AM in response to slowfranklin

I changed the ldap.conf file adding:
SASL_MECH CRAM-MD5
Still no go. when I try authenticating I still get
SASL/GSSAPI authentication started
and the failure with GSSAPI Error no server found etc.

If I go with the manual override you suggested previously -Y CRAM-MD5 I get
SASL/CRAM-MD5 authentication started
and success

Reply

Answer 3

Mar 23, 2007 7:17 AM in response to Ivailo Djilianov

Reading ldap.conf says:
SASL_MECH is a user-only option. So you have to use .ldaprc in your home dir. See the man page for details.

HTH

-Ralph

Reply

Answer 4

Mar 23, 2007 8:14 AM in response to slowfranklin

slowfranklin, you are exactly right. Putting the SASL_MECH option in .ldaprc wil ensure that this is the auth mech used each time after the file is executed. But that would not help me, because I'm looking for a solution for non-CLI-savvy users. If I have to go to the command line I use -Y option, but this want help GUI applications. This is why I was looking for a server based solution.

Reply

Answer 5

Mar 24, 2007 9:22 AM in response to Ivailo Djilianov

Then help us end guessing mode and describe what you want to do.

-Ralph

Reply

Answer 6

Mar 26, 2007 2:55 AM in response to slowfranklin

Slowfranklin, thanks for your helpful posts.
My ultimate goal is to have a shared conact list in our OD database. I want to be able to give Joe User a friendly interface to insert update and use this contact list. 2 solutions I found are j2anywhere.com's AddressBookXLDAP and the open source package phpLDAPadmin (far more complicated, but OK). Both won't work on my particular setup and I'm trying to figure out why. You helped me figure out how to authenticate (this thread: http://discussions.apple.com/thread.jspa?threadID=894046&tstart=0). My guess is, if I use the same settings for ABXLdap thinks will start working. I don't have no way to set the -Y CRAM-MD5 option on the application level, so I'm looking for a way to set it golobally, on the server level.

Reply

Answer 7

Mar 27, 2007 5:17 AM in response to Ivailo Djilianov

Both won't work on my particular setup and I'm trying
to figure out why.

So the question is: what is so particular in your setup? ABxLDAP should integrate with OD just fine. Have you read:
http://www.j2anywhere.com/j2anywhere/projects/abxldap/AddressBookXLDAP_Manual.pd f ?

-Ralph

Reply

Answer 8

Mar 27, 2007 5:55 AM in response to slowfranklin

yes, as a matter of fact I have! it is a great project, and I would really like to get it working. The manual describes setting up OD on a non-server tiger installation, but it is quite OK. Problem is it just crashes on me upon sync attempt without any useful info in the logs. The older version AB2LDAP, doen't crash, it shows a progress bar that should mean contacts transferred, but doesn't in fact even show in the server logs. I tried to contact the developer of the application but I didn't get any response from him, thats why I tried searching for a deeper solution.
Thanks,
Ivailo

Reply