1<HTML><HEAD> 2<title>Options for Cyrus SASL</title> 3<!-- $Id: options.html,v 1.33 2009/01/25 13:02:29 mel Exp $ --> 4</HEAD> 5<BODY> 6<h1>Options for Cyrus SASL</h1> 7 8<p>This document contains information on what options are used by the 9Cyrus SASL library and bundled mechanisms. The most commonly used 10options (and those that are therefore most commonly misunderstood 11are <b>pwcheck_method</b> and <b>auxprop_plugin</b>. Please ensure 12that you have configured these correctly if things don't seem to 13be working right. Additionally, <b>mech_list</b> can be an easy 14way to limit what mechanisms a given application will use.</p> 15 16<TABLE BORDER WIDTH=95%> 17<TR><TH>Option</TH><TH>Used By</TH><TH>Description</TH><TH>Default</TH></TR> 18<TR> 19<TD>authdaemond_path</TD><TD>SASL Library</TD> 20<TD>Path to Courier-IMAP authdaemond's unix socket. 21Only applicable when pwcheck_method is set to authdaemond.</TD><TD>/dev/null</TD> 22</TR> 23<TR> 24<TD>auto_transition</TD><TD>SASL Library</TD> 25<TD>When set to 'yes' or 'noplain', 26and when using an auxprop plugin, automatically transition 27users to other mechs when they do a successful plaintext 28authentication. When set to 'noplain', only non-plaintext secrets 29will be written. <I>Note that the only mechs (as currently 30implemented) which don't use plaintext secrets are 31OTP and SRP.</I></TD><TD>no</TD> 32</TR> 33<TR> 34<TD>auxprop_plugin</TD><TD>Auxiliary Property Plugin</TD> 35<TD>Name of auxiliary plugin to use, you may specify a space-separated 36list of plugin names, and the plugins will be queried in order</TD> 37<TD>(null) - querys all plugins</TD> 38</TR> 39<TR> 40<TD>canon_user_plugin</TD><TD>SASL Library</TD> 41<TD>Name of canon_user plugin to use</TD><TD>INTERNAL</TD> 42</TR> 43<TR> 44<TD>keytab</TD><TD>GSSAPI</TD> <TD>Location of keytab 45file</TD><TD><tt>/etc/krb5.keytab</tt> (system dependant)</TD> 46</TR> 47<TR> 48<TD>ldapdb_uri</TD><TD>LDAPDB plugin</TD> 49<TD>ldap server uri, you can specify a space-separated list of URIs - 50ldapi:// or ldaps://ldap1/ ldaps://ldap2/</TD> 51<TD>none</TD> 52</TR> 53<TR> 54<TD>ldapdb_id</TD><TD>LDAPDB plugin</TD> 55<TD>ldap SASL authentication id</TD> 56<TD>none</TD> 57</TR> 58<TR> 59<TD>ldapdb_mech</TD><TD>LDAPDB plugin</TD> 60<TD>ldap SASL mechanism for authentication</TD> 61<TD>none</TD> 62</TR> 63<TR> 64<TD>ldapdb_pw</TD><TD>LDAPDB plugin</TD> 65<TD>ldap password for SASL authentication id</TD> 66<TD>none</TD> 67</TR> 68<TR> 69<TD>ldapdb_rc</TD><TD>LDAPDB plugin</TD> 70<TD>The filename specified here will be put into the server's LDAPRC 71environment variable, and libldap-specific config options may be set 72in that ldaprc file. The main purpose behind this option is to allow 73a client TLS certificate to be configured, so that SASL/EXTERNAL may 74be used between the SASL server and the LDAP server. This is the most 75optimal way to use this plugin when the servers are on separate machines.</TD> 76<TD>none</TD> 77</TR> 78<TR> 79<TD>ldapdb_starttls</TD><TD>LDAPDB plugin</TD> 80<TD>Use StartTLS. This option may be set to 'try' or 'demand'. 81When set to "try" any failure in StartTLS is ignored. 82When set to "demand" then any failure aborts the connection.</TD> 83<TD>none</TD> 84</TR> 85<TR> 86<TD>ldapdb_canon_attr</TD><TD>LDAPDB plugin</TD> 87<TD>Use the value of the specified attribute as the user's 88canonical name. The attribute will be looked up in the user's LDAP 89entry. This setting must be configured in order to use LDAPDB as 90a canonuser plugin.</TD> 91<TD>none</TD> 92</TR> 93<TR> 94<TD>log_level</TD><TD>SASL Library</TD> 95<TD><b>Numeric</b> Logging Level (see <TT>SASL_LOG_*</TT> in <tt>sasl.h</tt> 96for values and descriptions</TD> 97<TD>1 (SASL_LOG_ERR)</TD> 98</TR> 99<TR> 100<TD>mech_list</TD><TD>SASL Library</TD> 101<TD>Whitespace separated list of mechanisms to allow (e.g. 'plain 102otp'). Used to restrict the mechanisms to a subset of the installed 103plugins.</TD><TD>(use all available plugins)</TD> 104</TR> 105<TR> 106<TD>ntlm_server</TD><TD>NTLM (server)</TD> 107<TD>Comma separated list of servernames (WinNT, Win2K, Samba, etc) to 108which authentication will be proxied.</TD> 109<TD>(null) - perform authentication internally</TD> 110</TR> 111<TR> 112<TD>ntlm_v2</TD><TD>NTLM (client)</TD> 113<TD>Send NTLMv2 responses to the server.</TD> 114<TD>no (send NTLMv1)</TD> 115</TR> 116<TR> 117<TD>opiekeys</TD><TD>OTP (with OPIE)</TD> 118<TD>Location of the opiekeys file</TD><TD><tt>/etc/opiekeys</tt></TD> 119</TR> 120<TR> 121<TD>otp_mda</TD><TD>OTP (w/o OPIE)</TD> 122<TD>Message digest algorithm for one-time passwords, used by sasl_setpass 123(possible values: 'md4', 'md5', 'sha1')</TD><TD><tt>md5</tt></TD> 124</TR> 125<TR> 126<TD>plugin_list</TD><TD>SASL Library</TD> 127<TD>Location of Plugin list (Unsupported)</TD><TD><i>none</i></TD> 128</TR> 129<TR> 130<TD>pwcheck_method</TD><TD>SASL Library</TD> 131<TD>Whitespace separated list of mechanisms used to verify passwords, 132used by sasl_checkpass (possible values: 'auxprop', 'saslauthd', 133'pwcheck', 'authdaemond' [if compiled with <tt>--with-authdaemond</tt>]) 134and 'alwaystrue' [if compiled with <tt>--enable-alwaystrue</tt>]) 135</TD><TD>auxprop</TD> 136</TR> 137<TR> 138<TD>reauth_timeout</TD><TD>DIGEST-MD5</TD> 139<TD>Length in time (in minutes) that authentication info will be 140cached for a fast reauth. A value of 0 will disable reauth.</TD> 141<TD>0</TD> 142</TR> 143<TR> 144<TD>saslauthd_path</TD><TD>SASL Library</TD> 145<TD>Path to saslauthd run directory (<b>including</b> the "/mux" named pipe)</TD> 146<TD>system dependant (generally won't need to be changed)</TD> 147</TR> 148<TR> 149<TD>sasldb_path</TD><TD>sasldb plugin</TD> 150<TD>Path to sasldb file</TD><TD><tt>/etc/sasldb2</tt> (system dependant)</TD> 151<TR> 152<TD>sql_engine</TD><TD>SQL plugin</TD> 153<TD>Name of SQL engine to use (possible values: 'mysql', 'pgsql', 'sqlite', 'sqlite3').</TD> 154<TD><tt>mysql</tt></TD> 155</TR> 156<TR> 157<TD>sql_hostnames</TD><TD>SQL plugin</TD> 158<TD>Comma separated list of SQL servers (in host[:port] format).</TD> 159<TD><i>none</i> (engine dependent)</TD> 160</TR> 161<TR> 162<TD>sql_user</TD><TD>SQL plugin</TD> 163<TD>Username to use for authentication to the SQL server.</TD> 164<TD><i>none</i> (engine dependent)</TD> 165</TR> 166<TR> 167<TD>sql_passwd</TD><TD>SQL plugin</TD> 168<TD>Password to use for authentication to the SQL server.</TD> 169<TD><i>none</i> (engine dependent)</TD> 170</TR> 171<TR> 172<TD>sql_database</TD><TD>SQL plugin</TD> 173<TD>Name of the database which contains the auxiliary properties.</TD> 174<TD><i>none</i> (engine dependent)</TD> 175</TR> 176<TR> 177<TD>sql_select</TD><TD>SQL plugin</TD> 178<TD>SELECT statement to use for fetching properties. This option is 179<b>required</b> in order to use the SQL plugin.</TD> 180<TD><i>none</i></TD> 181</TR> 182<TR> 183<TD>sql_insert</TD><TD>SQL plugin</TD> 184<TD>INSERT statement to use for creating properties for new users.</TD> 185<TD><i>none</i></TD> 186</TR> 187<TR> 188<TD>sql_update</TD><TD>SQL plugin</TD> 189<TD>UPDATE statement to use for modifying properties.</TD> 190<TD><i>none</i></TD> 191</TR> 192<TR> 193<TD>sql_usessl</TD><TD>SQL plugin</TD> 194<TD>When set to 'yes', 'on', '1' or 'true', a secure connection will 195be made to the SQL server.</TD> 196<TD><tt>no</tt></TD> 197</TR> 198<TR> 199<TD>srp_mda</TD><TD>SRP</TD> 200<TD>Message digest algorithm for SRP calculations 201(possible values: 'md5', 'sha1', 'rmd160')</TD><TD><tt>sha1</tt></TD> 202</TR> 203<TR> 204<TD>srvtab</TD><TD>KERBEROS_V4</TD> 205<TD>Location of the srvtab file</TD><TD><tt>/etc/srvtab</tt> (system 206dependant)</TD> 207</TR> 208</TABLE> 209 210<h2>Notes on SQL auxprop options</h2> 211 212<p>The <tt>sql_insert</tt> and <tt>sql_update</tt> options are 213optional and are only needed if you wish to allow the SASL library 214(e.g., saslpasswd2) and plugins (e.g., OTP) to write properties to the 215SQL server. If used, both statements MUST be provided so that 216properties can be added, changed and deleted. 217<font color=red>NOTE: The columns for writable properites MUST accept NULL values.</font> 218 219<p>The SQL statements provided in the <tt>sql_select</tt>, 220<tt>sql_insert</tt> and <tt>sql_update</tt> options can contain 221arguments which will be substituted with the appropriate values. The 222valid arguments are: 223 224<DL compact> 225<DT><tt>%u</tt> <DD>Username whose properties are being fetched/stored. 226 227<DT><tt>%p</tt> <DD>Name of the property being fetched/stored. This could 228 technically be anything, but SASL authentication will try 229 userPassword and cmusaslsecretMECHNAME (where MECHNAME is the 230 name of a SASL mechanism). 231 232<DT><tt>%r</tt> <DD>Realm to which the user belongs. This could be the 233 kerberos realm, the FQDN of the computer the SASL application is 234 running on or whatever is after the @ on a username. (read the 235 realm documentation). 236 237<DT><tt>%v</tt> <DD>Value of the property being stored (INSERT or 238 UPDATE only!). This could technically be anything depending on 239 the property itself, but is generally a userPassword. 240</DL> 241 242<font color=red>NOTE: DO NOT put quotes around the entire SQL 243statement, but each individual %u, %r and %v argument MUST be 244quoted.</font> 245 246 247<h3>Examples:</h3> 248 249<pre> 250 <tt>sql_select: SELECT %p FROM user_table WHERE username = '%u' and realm = '%r'</tt> 251</pre> 252 253 would send the following statement to SQL for user "bovik" and 254 the default realm for the machine "madoka.surf.org.uk": 255 256<pre> 257 <tt>SELECT userPassword FROM user_table WHERE username = 'bovik' and 258 realm = 'madoka.surf.org.uk';</tt> 259 260 261</pre> 262 263<pre> 264 <tt>sql_insert: INSERT INTO user_table (username, realm, %p) VALUES ('%u', '%r', '%v')</tt> 265 266</pre> 267 268 would generate the following statement to SQL for user "bovik" in 269 realm "madoka.surf.org.uk" with userPassword "wert": 270 271<pre> 272 <tt>INSERT INTO user_table (username, realm, userPassword) VALUES 273 ('bovik', 'madoka.surf.org.uk', 'wert');</tt> 274 275 276</pre> 277 278<p>Note that all substitutions do not have to be used. For instance, 279<pre> 280 <tt>SELECT password FROM auth WHERE username = '%u'</tt> 281</pre> 282is a valid value for <tt>sql_select</tt>. 283 284<h2>Notes on LDAPDB plugin options</h2> 285 286<p> 287</p> 288 289<p>Unlike other LDAP-enabled plugins for other services that are common 290on the web, this plugin does not require you to configure DN search 291patterns to map usernames to LDAP DNs. This plugin requires SASL name 292mapping to be configured on the target slapd. This approach keeps the 293LDAP-specific configuration details in one place, the slapd.conf, and 294makes the configuration of remote services much simpler.</p> 295 296<p>This plugin is not for use with slapd itself. When OpenLDAP is 297built with SASL support, slapd uses its own internal auxprop and 298canonuser module. 299By default, without configuring anything else, slapd will fail to load 300the ldapdb module when it's present. This is as it should be. If you 301don't like the "auxpropfunc: error -7" message that is sent to syslog 302by slapd, you can stop it by creating /usr/lib/sasl2/slapd.conf with: 303 304 <pre>auxprop_plugin: slapd</pre> 305 306which will force the SASL library to ignore all other auxprop modules.</p> 307 308<h3>Examples:</h3> 309 310<pre> 311ldapdb_uri: ldap://ldap.example.com 312ldapdb_id: root 313ldapdb_pw: secret 314ldapdb_mech: DIGEST-MD5 315ldapdb_canon_attr: uid 316</pre> 317 318<p>The LDAP server must be configured to map the SASL authcId "root" into a DN 319that has proxy authorization privileges to every account that is allowed to 320login to this server. (See the OpenLDAP Admin Guide section 10 for 321details.)</p> 322 323<pre> 324ldapdb_uri: ldapi:// 325ldapdb_mech: EXTERNAL 326</pre> 327 328<p>This configuration assumes an LDAP server is on the same server that is 329using SASL and the underlying OS is *NIX based (ldapi:// requires UNIX domain 330sockets). This is fast and secure, and needs no username or password to be 331stored. The slapd.conf will need to map these usernames to LDAP DNs: 332 333<pre> 334sasl-regexp uidNumber=(.*)\\+gidNumber=(.*),cn=peercred,cn=external,cn=auth 335 ldap:///dc=example,dc=com??sub?(&(uidNumber=$1)(gidNumber=$2)) 336</pre> 337 338<pre> 339sasl-regexp uid=(.*),cn=external,cn=auth 340 ldap:///dc=example,dc=com??sub?(uid=$1) 341</pre> 342 343</p> 344 345<hr> 346Back to the <A href=index.html>index</a> 347 348</body> 349</html> 350 351