389ds added this feature a while ago: http://port389.org/wiki/Design/SASL_Mechanism_Configuration
We should use it in IPA to filter our by default mechanisms like DIGEST-MD5 and CRAM-MD5 which we do not really support and may cause issues with some clients (unnecessary bind attempts with unsupported mechanisms).
One of these clients is AD, we've seen it trying to use DIGESt-MD5 at times in the trust scenario, and we do not want it to try DIGEST-MD5 when we will build the Golbal Catalog
Will be needed for GC effort.
Starting to shape next release
Unless we get help, there is not capacity (and expertise) to do it in 4.2.
This ticket also blocks OS X support. When attempting to register an host in IPA, OS X attempts CRAM-MD5. If it's not offered it goes for PLAIN login. We should also have a method to disable insecure login methods on non-SSL connections. I will update 4813 with the required changes for OS X support as soon as I have a fully functional configuration. It works like an Open Directory for getting the list of hosts/hostgroups/users/groups, but it cannot currently register/bind the host because without SSL the host cannot change it's own password using the LDAP password extension. Kerberos status is unknown at this time, but I expect it work eventually.
nsslapd-minssf can be used to disallow insecure connections.
Metadata Update from @simo: - Issue assigned to someone - Issue set to the milestone: Future Releases
Login to comment on this ticket.