At 12:49 AM 10/26/2006, Hai Zaar wrote:

Is there any way to specify sasl-secprops separately for each transport type? For ldapi:/// is want "sasl-secprops noanonymous,noplain", and "sasl-secprops noanonymous,noplain,noactive" for the rest.

no.

The idea is to require SASL GSSAPI for everyone with only exception for clients connecting via ldapi (like heimdal KDC) - they need SASL EXTERNAL.

I note that "noactive" doesn't restrict SASL to just GSSAPI. There are other mechanisms that meet the "noactive" criteria. (See the Cyrus SASL docs/list.)

I would simply configure Cyrus SASL with support only for GSSAPI and EXTERNAL (see Cyrus SASL docs/lists for help here). Assuming you don't provide clients with means to do EXTERNAL except by ldapi://, then you basically would get what you want. And if you did provide means for a client to use EXTERNAL by other means, seems you should consider allowing EXTERNAL through these other means.

Or you could hack Cyrus SASL so that EXTERNAL is available when "noactive" is set. (See the Cyrus SASL docs/list.)

Kurt