System Grab Bag

View all man pages from Ubuntu (or from all projects)
'\" -*- coding: UTF-8 -*- \\$2 \(la\\$1\(ra\\$3

Name

libsasl - authentication library

Synopsis

Cyrus SASL library handling communication between an application and the Cyrus SASL authentication framework.

Description

This document describes generic configuration options for the Cyrus SASL authentication library \*(T<libsasl\*(T>.

The library handles communication between an application and the Cyrus SASL authentication framework. Both exchange information before \*(T<libsasl\*(T> can start offering authentication services for the application.

The application, among other data, sends the \*(T<service_name\*(T>. The service name is the services name as specified by IANA. SMTP servers, for example, send \*(T<smtp\*(T> as \*(T<service_name\*(T>. This information is handed over by \*(T<libsasl\*(T> e.g. when Kerberos or PAM authentication takes place.

Configuration options in general are read either from a file or passed by the application using \*(T<libsasl\*(T> during library initialization.

File-Based Configuration

When an application (server) starts, it initializes the \*(T<libsasl\*(T> library. The application passes \*(T<app_name\*(T> (application name) to the SASL library. Its value is used to construct the name of the application specific SASL configuration file. The Cyrus SASL sample-server, for example, sends \*(T<sample\*(T> as \*(T<app_name\*(T>. Using this value the SASL library will search the configuration directories for a file named \*(T<sample.conf\*(T> and read configuration options from it. Note

Consult the applications manual to determine what \*(T<app_name\*(T> it sends to the Cyrus SASL library.

Application-Based Configuration

Configuration options for \*(T<libsasl\*(T> are written down together with application specific options in the applications configuration file. The application reads them and passes them over to \*(T<libsasl\*(T> when it loads the library. Note

An example for application-based configuration is the Cyrus IMAP server \*(T<imapd\*(T>. SASL configuration is written to \*(T<imapd.conf\*(T> and passed to the SASL library when the \*(T<imapd\*(T> server starts.

Configuration Syntax

The general format of Cyrus SASL configuration file is as follows:

Configuration options Configuration options are written each on a single physical line. Parameter and value must be separated by a colon and a single whitespace: 

\*(T<parameter: value\*(T>
Important There must be no trailing whitespace after the value or Cyrus SASL will fail to apply the value appropriately!

Comments, Empty lines and whitespace-only lines Empty lines and whitespace-only lines are ignored, as are lines whose first non-whitespace character is a \(oq#\(cq.

Options

There are generic options and options specific to the password verification service or auxiliary property plugin chosen by the administrator. Such specific options are documented in manuals listed in libsasl(5).

The following configuration parameters are generic configuration options:

\*(T<authdaemond_path\*(T> (default: \*(T</dev/null\*(T>) Path to Courier MTA authdaemond's unix socket. Only applicable when \*(T<pwcheck_method\*(T> is set to \*(T<authdaemond\*(T>.

\*(T<auto_transition\*(T>: (default: \*(T<no\*(T>) Automatically transition users to other mechanisms when they do a successful plaintext authentication and if an auxprop plugin is used. Important This option does not apply to the ldapdb(5) plugin. It is a read-only plugin.

\*(T<no\*(T> Do not transition users to other mechanisms.

\*(T<noplain\*(T> Transition users to other mechanisms, but write non-plaintext secrets only.

\*(T<yes\*(T> Transition users to other mechanisms. Note The only mechanisms (as currently implemented) which don't use plaintext secrets are OTP and SRP.

\*(T<auxprop_plugin\*(T>: (default: empty) A whitespace-separated list of one or more auxiliary plugins used if the \*(T<pwcheck_method\*(T> parameter specifies \*(T<auxprop\*(T> as an option. Plugins will be queried in list order. If no plugin is specified, all available plugins will be queried.

\*(T<ldapdb\*(T> Specify \*(T<ldapdb\*(T> to use the Cyrus SASL ldapdb(5) plugin.

\*(T<sasldb\*(T> Specify \*(T<sasldb\*(T> to use the Cyrus SASL sasldb(5) plugin.

\*(T<sql\*(T> Specify \*(T<sql\*(T> to use the Cyrus SASL sql(5) plugin.

\*(T<log_level\*(T>: (default: \*(T<1\*(T>) Specifies a numeric log level. Available log levels are:

\*(T<0\*(T> Don't log anything

\*(T<1\*(T> Log unusual errors

\*(T<2\*(T> Log all authentication failures

\*(T<3\*(T> Log non-fatal warnings

\*(T<4\*(T> More verbose than 3

\*(T<5\*(T> More verbose than 4

\*(T<6\*(T> Traces of internal protocols

\*(T<7\*(T> Traces of internal protocols, including passwords Important Cyrus SASL sends log messages to the application that runs it. The application decides if it forwards such messages to the sysklogd(8) service, to which \*(T<facility\*(T> they are sent and which \*(T<priority\*(T> is given to the message.

\*(T<mech_list\*(T>: (default: empty) The optional \*(T<mech_list\*(T> parameter specifies a whitespace-separated list of one or more mechanisms allowed for authentication.

\*(T<pwcheck_method\*(T>: (default: \*(T<auxprop\*(T>) A whitespace-separated list of one or more mechanisms. Cyrus SASL provides the following mechanisms:

\*(T<authdaemond\*(T> Configures Cyrus SASL to contact the Courier MTA authdaemond(8) password verification service for password verification.

\*(T<alwaystrue\*(T> Lets the pwcheck succeed always.

\*(T<auxprop\*(T> Cyrus SASL will use its own plugin infrastructure to verify passwords. The \*(T<auxprop_plugin\*(T> parameter controls which plugins will be used.

\*(T<pwcheck\*(T> Verify passwords using the Cyrus SASL pwcheck(8) password verification service. The pwcheck daemon is considered deprecated and should not be used anymore. Use the saslauthd password verification service instead.

\*(T<saslauthd\*(T> Verify passwords using the Cyrus SASL saslauthd(8) password verification service.

\*(T<saslauthd_path\*(T>: (default: empty) Path to saslauthd(8) run directory (including the \*(T</mux\*(T> named pipe)

See Also

authdaemond(5), ldapdb(5), libsasl(5), saslauthd(8), saslauthd.conf(5), saslpasswd2(5), sasldblistusers2(5), sasldb(5), sql(5)

Author

This manual was written for the Debian distribution because the original program does not have a manual page. Parts of the documentation have been taken from the Cyrus SASL's \*(T<options.html\*(T>. 

Patrick Ben Koetter
<\*(T<[email protected]\*(T>>