This document contains information on what options are used by the Cyrus SASL library and bundled mechanisms:
| Option | Used By | Description | Default |
|---|---|---|---|
| auto_transition | SASL Library | When set to 'yes' and when using the sasldb auxprop plugin, automatically transition users to other mechs when they do a successful plaintext authentication | no |
| auxprop_plugin | Auxiliary Property Plugin | Name of auxiliary plugin to use, you may specify a space-separated list of plugin names, and the plugins will be queried in order | (null) - querys all plugins |
| canon_user_plugin | SASL Library | Name of canon_user plugin to use | INTERNAL |
| keytab | GSSAPI | Location of keytab file | /etc/krb5.keytab (system dependant) |
| mech_list | SASL Library | Whitespace separated list of mechanisms to allow (e.g. 'plain otp'). Used to restrict the mechanisms to a subset of the installed plugins. | all available |
| opiekeys | OTP (with OPIE) | Location of the opiekeys file | /etc/opiekeys |
| otp_mda | OTP (w/o OPIE) | Message digest algorithm for one-time passwords, used by sasl_setpass (possible values: 'md4', 'md5', 'sha1') | md5 |
| plugin_list | SASL Library | Location of Plugin list (Unsupported) | none |
| pwcheck_method | SASL Library | Whitespace separated list of mechanisms used to verify passwords, used by sasl_checkpass (possible values: 'auxprop', 'pwcheck', 'saslauthd', 'alwaystrue') | auxprop |
| reauth_timeout | DIGEST-MD5 | Length in time (in minutes) that authentication info will be cached for a fast reauth. A value of 0 will disable reauth. | 0 |
| saslauthd_path | SASL Library | Path to saslauthd run directory (not including the "/mux" named pipe) | system dependant |
| sasldb_path | sasldb plugin | Path to sasldb file | /etc/sasldb2 (system dependant) |
| srp_mda | SRP | Message digest algorithm for SRP calculations (possible values: 'md5', 'sha1', 'rmd160') | sha1 | srvtab | KERBEROS_V4 | Location of the srvtab file | /etc/srvtab (system dependant) |
The select statement used in the option mysql_statement is parsed for 3 place holders %u, %r, and %p they are replaced with username, realm, and property requested respectively. For example:
mysql_statement: select %p from user_table where username = '%u' and realm = '%r'
would send the following statement to MySQL for user "bovik" and
the default realm for the machine "madoka.surf.org.uk":
select userPassword from user_table where username = 'bovik' and realm = 'madoka.surf.org.uk'
DO NOT put quotes around the statement but do around
the arguments %r, %u, etc.
All substitutions do not have to be used. For instance, "select password from auth where username = '%u'" is a valid value for "mysql_statement".
important note:The auxprop will crash (SEGV) if the ldap libraries
are compiled against cyrus sasl Version 1.(see code for details)
The plugin uses the following options:-
ldap_user: (username to login as)
ldap_passwd: (password to use)
ldap_hostnames: (comma separated host list)
ldap_filter: (filter to get to users password)
ldap_basedn: (basedn for the search)
ldap_verbose: (if it exists will print information to syslog)
The filter used in the option ldap_filter is parsed
for 2 place holders %u and %r they are replaced with username
and realm required respectively.
DO NOT PUT "' quotes around the filter
%u is the username the user logged in as
%r is the realm which could be the kerbros realm, the FQDN of the
computer the sasl app is on or what ever is after the @ on a username.
ldap_filter: uid=%u ldap_filter: uid=%s,domain=%r,o=SURF
If something matches the filter the code will try and retrieve all properties requested. Usually userPassword and cmusaslsecretMECHNAME where MECHNAME is the name of a mechanism.
ldap_hostnames: Can understands url type input.
e.g. ldap:ldap.surf.org.uk:344,ldaps:secureldap.surf.org.uk
Back to the index