saslauthd and multiple mechs

John Newbigin jnewbigin at swin.edu.au
Thu Jun 17 19:46:34 EDT 2010


The the best of my knowledge it is not supported.  I wrote some patches 
against cyrus-sasl-2.1.19 earlier in the year which I am using to allow 
2 mechs. The patches are a bit messy because I did not want to change 
too much core stuff.

It would not be too difficult to make the support a lot better.

My command line looks like this:
/usr/sbin/saslauthd -m /var/run/saslauthd -O /etc/saslauthd.conf -a ldap 
-V -O /etc/saslauthd-httpform.conf -a httpform

The return value of the second mech is not currently used but that is 
easy to change. I use the httpform as a way of synchronising passwords 
to other systems. For a generic solution some syntax regarding what to 
do on success or failure would need to be developed.

My patches also allow per realm configuration for the ldap mech and 
fixes some bugs in the httpform mech.

If you want the patches, let me know.

John.

Mike Culbertson wrote:
> I'm not sure we're talking about the same thing.  I'm actually asking
> about the auth mechanisms used by saslauthd, that are specified on
> the command line when you run the daemon such as getpwent, kerberos5,
> pam, ldap, etc.  i.e.:
> 
> /usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 5
> 
> Based on the man page, it sounds like you would be able to do
> something like this to auth off of multiple backend sources:
> 
> /usr/sbin/saslauthd -a kerberos5 -a ldap  -c -m /var/run/saslauthd -n
> 5
> 
> But neither that nor any other style of arguments work to specify
> multiple mechs.  I think this is a simple miswording in the man page,
> but it warrants clarification.
> 
> In my case, we fell back to using 'pam' and handling multiple auth
> backends with pam modules.  It would certainly be nicer if saslauthd
> could do this without PAM though.
> 
> -Mike
> 
> On Jun 16, 2010, at 4:03 PM, Henry B. Hotz wrote:
> 
>> If you go back a few years there's an exchange between Simon
>> Wilkinson and me where he describes how to do it.  Basically you
>> get the server's list of available mech's, try to connect, if it
>> fails then you erase the chosen (failed) mech from the list and
>> start over.  You stop on success or when the error returned is no
>> available mechs.  This is programmatically more complex than the
>> published sample code.
>> 
>> The opposing viewpoint (from Ken Hornstein, who also deserves
>> respect) is that it makes everything more complex and less
>> reliable, and you're better off just picking a single one for any
>> given specific usage of SASL, even if your server supports more
>> than one.
>> 
>> On Jun 16, 2010, at 2:24 PM, Mike Culbertson wrote:
>> 
>>> I'm aware that this has come up before 
>>> (http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2007-September/001188.html)
>>>  but (on Debian) the manpage for saslauthd states:
>>> 
>>> saslauthd supports one or more "authentication mechanisms"
>>> 
>>> so it's not entirely clear what the correct answer is.  Is there
>>> any way at all to use multiple auth mechs, aside from doing it
>>> through PAM?
>>> 
>>> TIA
>>> 
>>> - Mike
>> ------------------------------------------------------ The opinions
>> expressed in this message are mine, not those of Caltech, JPL,
>> NASA, or the US Government. Henry.B.Hotz at jpl.nasa.gov, or
>> hbhotz at oxy.edu
>> 
>> 
>> 
> 
> 


-- 
John Newbigin
ITS Senior Analyst / Programmer
Faculty of Information and Communication Technologies
Swinburne University of Technology
Melbourne, Australia
http://www.ict.swin.edu.au/staff/jnewbigin


More information about the Cyrus-sasl mailing list