https://bugs.openldap.org/show_bug.cgi?id=10065
--- Comment #7 from sean@teletech.com.au --- (In reply to Quanah Gibson-Mount from comment #6)
I was told at one point it doesn't require cyrus-sasl (which IMHO would be rather nice).
I have really only spoken about what slapd puts into it's "supportedSASLMechanisms" attribute. If the client is preconfigured to use a particular mechanism, it would probably not query the supportedSASLMechanisms value. If the client requests "EXTERNAL" without checking it's availability, authentication should still succeed - provided slapd has constructed an authid. But this interaction is still mediated by Cyrus-sasl. Indeed, it is SASL that defined the semantics of "EXTERNAL", it would be hard completely remove it. I suppose if the ONLY mechanisms supported were PLAIN and EXTERNAL, you could create a trivial SASL implementation and do without Cyrus-sasl. That might be a good way to reduce the attack surface, but a better way would be to put the TLS layer into a separate process. Back to idea of using an external proxy.