SASL Docs

Tarjei Huse tarjei at nu.no
Wed Nov 6 10:36:00 EST 2002


Does anyone know of a good guide to doing TLS-certificate Auth through
sasl 1.5x ? 

cheers 
tarjei

Rob Siemborski wrote:
> 
> On Mon, 4 Nov 2002, David H. Lynch Jr. wrote:
> 
> >            My problems seem to come from a weak understanding of SASL. I
> > have searched the net, the archives, and while there are RFC's and
> > programming information I have not found anything that approximates a
> > users guide to using SASL.
> 
> You mean something like doc/sysadmin.html in the distribution, or
> something more specific?  If you think something is missing, we're willing
> to add it, though, based on some of your questions I'm guessing you didn't
> look in the doc subdirectory at all.
> 
> Of course, a guide for "the ground up with SASL" will be hard to write so
> that it will work in any enviornment, since authentication and
> authorization is almost always a site-specific thing.  The SASL library
> does its best to work everywhere, but in some ways it's a tremendously
> difficult problem to get right.
> 
> I'll try to answer your questions though:
> 
> >     If I select a particular authentication module - say GSSAPI or NTLM,
> > where does it get any configuration information it might need, and how
> > do I figure out what options there are ? I have even looked through the
> > source for some of the modules and cursory looks are not revealing.
> 
> doc/options.html lists all the options for anything that is included in
> the library.
> 
> >     Can someone point me to some kind of user  docs for libsasl 2.1.9 ?
> 
> Look in the doc subdirectory, but...
> 
> >        Something that would answer questions like:
> >             Do all methods depend on sasldb ?
> 
> No.  No mechanisms depend on sasldb.  A number of them do depend on the
> presense of an auxprop plugin, of which sasldb is one.  There is also an
> included mysql auxprop plugin, as well as a LDAP auxprop patch that is on
> surf.org.uk.
> 
> The ones that don't need any backend support:
>   ANONYMOUS
> 
> The ones that can get by with just saslauthd (but can use auxprop):
>   PLAIN
>   LOGIN
> 
> The ones that need auxprop support:
>   CRAM-MD5
>   DIGEST-MD5
>   NTLM
>   OTP
>   SRP
> 
> The ones that require a separate infrastructure:
>   KERBEROS_V4
>   GSSAPI
> 
> >                         What are the options for each module and how do
> > you set them ?
> 
> Again, doc/options.html.  You set them in an application-specific way (in
> Cyrus IMAP, you set sasl_[optionname] in imapd.conf).  You can also
> specify them in a file that is /usr/lib/sasl2/servicename.conf
> 
> >                         What is the difference between LOGIN and PLAIN ?
> 
> LOGIN is not a standards-track mechanism.  It also doesn't support proxy
> authorization.
> 
> -Rob
> 
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
> Research Systems Programmer * /usr/contributed Gatekeeper




More information about the Info-cyrus mailing list