4 files changed, 28 insertions, 13 deletions

diff --git a/cpp/src/qpid/broker/Broker.cpp b/cpp/src/qpid/broker/Broker.cpp
index 09157c1e62..c887fa9c32 100644
--- a/cpp/src/qpid/broker/Broker.cpp
+++ b/cpp/src/qpid/broker/Broker.cpp
@@ -124,6 +124,7 @@ Broker::Options::Options(const std::string& name) :
         ("tcp-nodelay", optValue(tcpNoDelay), "Set TCP_NODELAY on TCP connections")
         ("require-encryption", optValue(requireEncrypted), "Only accept connections that are encrypted")
         ("known-hosts-url", optValue(knownHosts, "URL or 'none'"), "URL to send as 'known-hosts' to clients ('none' implies empty list)")
+        ("sasl-config", optValue(saslConfigPath, "FILE"), "gets sasl config from nonstandard location")
         ("max-session-rate", optValue(maxSessionRate, "MESSAGES/S"), "Sets the maximum message rate per session (0=unlimited)")
         ("async-queue-events", optValue(asyncQueueEvents, "yes|no"), "Set Queue Events async, used for services like replication");
 }
@@ -263,7 +264,7 @@ Broker::Broker(const Broker::Options& conf) :
      * SASL setup, can fail and terminate startup
      */
     if (conf.auth) {
-        SaslAuthenticator::init(qpid::saslName);
+        SaslAuthenticator::init(qpid::saslName, conf.saslConfigPath);
         QPID_LOG(info, "SASL enabled");
     } else {
         QPID_LOG(notice, "SASL disabled: No Authentication Performed");
diff --git a/cpp/src/qpid/broker/Broker.h b/cpp/src/qpid/broker/Broker.h
index f55f94bc8e..10408867dc 100644
--- a/cpp/src/qpid/broker/Broker.h
+++ b/cpp/src/qpid/broker/Broker.h
@@ -110,6 +110,7 @@ public:
         bool tcpNoDelay;
         bool requireEncrypted;
         std::string knownHosts;
+        std::string saslConfigPath;
         uint32_t maxSessionRate;
         bool asyncQueueEvents;
         bool qmf2Support;
diff --git a/cpp/src/qpid/broker/SaslAuthenticator.cpp b/cpp/src/qpid/broker/SaslAuthenticator.cpp
index c55f3edb38..b54eb19971 100644
--- a/cpp/src/qpid/broker/SaslAuthenticator.cpp
+++ b/cpp/src/qpid/broker/SaslAuthenticator.cpp
@@ -93,9 +93,20 @@ bool SaslAuthenticator::available(void) {
 }
 
 // Initialize the SASL mechanism; throw if it fails.
-void SaslAuthenticator::init(const std::string& saslName)
+void SaslAuthenticator::init(const std::string& saslName, std::string const & saslConfigPath )
 {
-    int code = sasl_server_init(NULL, saslName.c_str());
+    int code;
+    //  If we are not given a specific sasl path, do 
+    //  nothing and allow the default to be used.
+    if ( ! saslConfigPath.empty() ) {
+        if(SASL_OK != (code=sasl_set_path(SASL_PATH_TYPE_CONFIG, const_cast<char *>(saslConfigPath.c_str())))) {
+          QPID_LOG(error, "SASL: sasl_set_path: [" << code << "] " );
+          return;
+        }
+        QPID_LOG(info, "SASL: config path set to " << saslConfigPath );
+    }
+
+    code = sasl_server_init(NULL, saslName.c_str());
     if (code != SASL_OK) {
         // TODO: Figure out who owns the char* returned by
         // sasl_errstring, though it probably does not matter much
@@ -224,18 +235,20 @@ void CyrusAuthenticator::init()
           * which cannot specify a realm for the user that is
           * authenticating.
           */
+    int code;
+
     const char *realm = connection.getBroker().getOptions().realm.c_str();
-    int code = sasl_server_new(BROKER_SASL_NAME, /* Service name */
-                               NULL, /* Server FQDN, gethostname() */
-                               realm, /* Authentication realm */
-                               NULL, /* Local IP, needed for some mechanism */
-                               NULL, /* Remote IP, needed for some mechanism */
-                               NULL, /* Callbacks */
-                               0, /* Connection flags */
-                               &sasl_conn);
+    code = sasl_server_new(BROKER_SASL_NAME, /* Service name */
+                           NULL, /* Server FQDN, gethostname() */
+                           realm, /* Authentication realm */
+                           NULL, /* Local IP, needed for some mechanism */
+                           NULL, /* Remote IP, needed for some mechanism */
+                           NULL, /* Callbacks */
+                           0, /* Connection flags */
+                           &sasl_conn);
     
     if (SASL_OK != code) {
-        QPID_LOG(info, "SASL: Connection creation failed: [" << code << "] " << sasl_errdetail(sasl_conn));
+        QPID_LOG(error, "SASL: Connection creation failed: [" << code << "] " << sasl_errdetail(sasl_conn));
         
         // TODO: Change this to an exception signaling
         // server error, when one is available
diff --git a/cpp/src/qpid/broker/SaslAuthenticator.h b/cpp/src/qpid/broker/SaslAuthenticator.h
index f4ad24b3bd..b4b946f7ce 100644
--- a/cpp/src/qpid/broker/SaslAuthenticator.h
+++ b/cpp/src/qpid/broker/SaslAuthenticator.h
@@ -58,7 +58,7 @@ public:
     static bool available(void);
 
     // Initialize the SASL mechanism; throw if it fails.
-    static void init(const std::string& saslName);
+    static void init(const std::string& saslName, std::string const & saslConfigPath );
     static void fini(void);
 
     static std::auto_ptr<SaslAuthenticator> createAuthenticator(Connection& connection, bool isShadow);