---

   ldap.conf    ( 5 )

---

Параметры SASL (SASL options)

If OpenLDAP is built with Simple Authentication and Security Layer support, there are more options you can specify.

SASL_MECH <mechanism> Specifies the SASL mechanism to use.

SASL_REALM <realm> Specifies the SASL realm.

SASL_AUTHCID <authcid> Specifies the authentication identity. This is a user- only option.

SASL_AUTHZID <authcid> Specifies the proxy authorization identity. This is a user-only option.

SASL_SECPROPS <properties> Specifies Cyrus SASL security properties. The <properties> can be specified as a comma-separated list of the following:

none (without any other properties) causes the properties defaults ("noanonymous,noplain") to be cleared.

noplain disables mechanisms susceptible to simple passive attacks.

noactive disables mechanisms susceptible to active attacks.

nodict disables mechanisms susceptible to passive dictionary attacks.

noanonymous disables mechanisms which support anonymous login.

forwardsec requires forward secrecy between sessions.

passcred requires mechanisms which pass client credentials (and allows mechanisms which can pass credentials to do so).

minssf=<factor> specifies the minimum acceptable security strength factor as an integer approximate to effective key length used for encryption. 0 (zero) implies no protection, 1 implies integrity protection only, 128 allows RC4, Blowfish and other similar ciphers, 256 will require modern ciphers. The default is 0.

maxssf=<factor> specifies the maximum acceptable security strength factor as an integer (see minssf description). The default is INT_MAX.

maxbufsize=<factor> specifies the maximum security layer receive buffer size allowed. 0 disables security layers. The default is 65536.

SASL_NOCANON <on/true/yes/off/false/no> Do not perform reverse DNS lookups to canonicalize SASL host names. The default is off.

SASL_CBINDING <none/tls-unique/tls-endpoint> The channel-binding type to use, see also LDAP_OPT_X_SASL_CBINDING. The default is none.