saslauthd and multiple mechs

Mike Culbertson mculbert at gemstone.com
Thu Jun 17 11:27:08 EDT 2010


I'm not sure we're talking about the same thing.  I'm actually asking about the auth mechanisms used by saslauthd, that are specified on the command line when you run the daemon such as getpwent, kerberos5, pam, ldap, etc.  i.e.: 

/usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 5

Based on the man page, it sounds like you would be able to do something like this to auth off of multiple backend sources:

/usr/sbin/saslauthd -a kerberos5 -a ldap  -c -m /var/run/saslauthd -n 5

But neither that nor any other style of arguments work to specify multiple mechs.  I think this is a simple miswording in the man page, but it warrants clarification. 

In my case, we fell back to using 'pam' and handling multiple auth backends with pam modules.  It would certainly be nicer if saslauthd could do this without PAM though.

-Mike

On Jun 16, 2010, at 4:03 PM, Henry B. Hotz wrote:

> If you go back a few years there's an exchange between Simon Wilkinson and me where he describes how to do it.  Basically you get the server's list of available mech's, try to connect, if it fails then you erase the chosen (failed) mech from the list and start over.  You stop on success or when the error returned is no available mechs.  This is programmatically more complex than the published sample code.
> 
> The opposing viewpoint (from Ken Hornstein, who also deserves respect) is that it makes everything more complex and less reliable, and you're better off just picking a single one for any given specific usage of SASL, even if your server supports more than one.
> 
> On Jun 16, 2010, at 2:24 PM, Mike Culbertson wrote:
> 
>> I'm aware that this has come up before 
>> (http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2007-September/001188.html) 
>> but (on Debian) the manpage for saslauthd states:
>> 
>> saslauthd supports one or more "authentication mechanisms"
>> 
>> so it's not entirely clear what the correct answer is.  Is there any way 
>> at all to use multiple auth mechs, aside from doing it through PAM?
>> 
>> TIA
>> 
>> - Mike
> 
> ------------------------------------------------------
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
> 
> 
> 



More information about the Cyrus-sasl mailing list