I found that the patch I proposed actually threw out the baby with the bathwater; rejecting all plugins is inappropriate. So here is a revised version that only excludes the ldapdb plugin specifically:

diff -brpu openldap-2.4.28-orig/servers/slapd/sasl.c openldap-2.4.28/servers/slapd/sasl.c --- openldap-2.4.28-orig/servers/slapd/sasl.c 2011-11-25 19:52:29.000000000 +0100 +++ openldap-2.4.28/servers/slapd/sasl.c 2012-01-02 01:48:58.000000000 +0100 @@ -67,6 +67,24 @@ char *slap_sasl_auxprops;

#ifdef HAVE_CYRUS_SASL

+/* Do not load the ldapdb plugin */ +static int +slap_sasl_verifyfile( + void *context, + const char *file, + sasl_verify_type_t type) +{ + int res = SASL_OK; + + if (type == SASL_VRFY_PLUGIN) { + static const char name[] = "libldapdb.so"; + const char * const p = strstr(file, name); + if (p && !strchr(p, '/')) + res = SASL_CONTINUE; + } + return res; +} + /* Just use our internal auxprop by default */ static int slap_sasl_getopt( @@ -1111,6 +1129,7 @@ int slap_sasl_init( void ) static sasl_callback_t server_callbacks[] = { { SASL_CB_LOG, &slap_sasl_log, NULL }, { SASL_CB_GETOPT, &slap_sasl_getopt, NULL }, + { SASL_CB_VERIFYFILE, &slap_sasl_verifyfile, NULL }, { SASL_CB_LIST_END, NULL, NULL } }; #endif