SASL Docs

Rob Siemborski rjs3 at andrew.cmu.edu
Tue Nov 5 09:25:05 EST 2002 

On Mon, 4 Nov 2002, David H. Lynch Jr. wrote:

>            My problems seem to come from a weak understanding of SASL. I
> have searched the net, the archives, and while there are RFC's and
> programming information I have not found anything that approximates a
> users guide to using SASL.

You mean something like doc/sysadmin.html in the distribution, or
something more specific?  If you think something is missing, we're willing
to add it, though, based on some of your questions I'm guessing you didn't
look in the doc subdirectory at all.

Of course, a guide for "the ground up with SASL" will be hard to write so
that it will work in any enviornment, since authentication and
authorization is almost always a site-specific thing.  The SASL library
does its best to work everywhere, but in some ways it's a tremendously
difficult problem to get right.

I'll try to answer your questions though:

>     If I select a particular authentication module - say GSSAPI or NTLM,
> where does it get any configuration information it might need, and how
> do I figure out what options there are ? I have even looked through the
> source for some of the modules and cursory looks are not revealing.

doc/options.html lists all the options for anything that is included in
the library.

>     Can someone point me to some kind of user  docs for libsasl 2.1.9 ?

Look in the doc subdirectory, but...

>        Something that would answer questions like:
>             Do all methods depend on sasldb ?

No.  No mechanisms depend on sasldb.  A number of them do depend on the
presense of an auxprop plugin, of which sasldb is one.  There is also an
included mysql auxprop plugin, as well as a LDAP auxprop patch that is on
surf.org.uk.

The ones that don't need any backend support:
  ANONYMOUS

The ones that can get by with just saslauthd (but can use auxprop):
  PLAIN
  LOGIN

The ones that need auxprop support:
  CRAM-MD5
  DIGEST-MD5
  NTLM
  OTP
  SRP

The ones that require a separate infrastructure:
  KERBEROS_V4
  GSSAPI

>                         What are the options for each module and how do
> you set them ?

Again, doc/options.html.  You set them in an application-specific way (in
Cyrus IMAP, you set sasl_[optionname] in imapd.conf).  You can also
specify them in a file that is /usr/lib/sasl2/servicename.conf

>                         What is the difference between LOGIN and PLAIN ?

LOGIN is not a standards-track mechanism.  It also doesn't support proxy
authorization.

-Rob

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper

More information about the Info-cyrus mailing list