SASL Docs
Rob Siemborski
rjs3 at andrew.cmu.edu
Tue Nov 5 09:25:05 EST 2002
On Mon, 4 Nov 2002, David H. Lynch Jr. wrote:
> My problems seem to come from a weak understanding of SASL. I
> have searched the net, the archives, and while there are RFC's and
> programming information I have not found anything that approximates a
> users guide to using SASL.
You mean something like doc/sysadmin.html in the distribution, or
something more specific? If you think something is missing, we're willing
to add it, though, based on some of your questions I'm guessing you didn't
look in the doc subdirectory at all.
Of course, a guide for "the ground up with SASL" will be hard to write so
that it will work in any enviornment, since authentication and
authorization is almost always a site-specific thing. The SASL library
does its best to work everywhere, but in some ways it's a tremendously
difficult problem to get right.
I'll try to answer your questions though:
> If I select a particular authentication module - say GSSAPI or NTLM,
> where does it get any configuration information it might need, and how
> do I figure out what options there are ? I have even looked through the
> source for some of the modules and cursory looks are not revealing.
doc/options.html lists all the options for anything that is included in
the library.
> Can someone point me to some kind of user docs for libsasl 2.1.9 ?
Look in the doc subdirectory, but...
> Something that would answer questions like:
> Do all methods depend on sasldb ?
No. No mechanisms depend on sasldb. A number of them do depend on the
presense of an auxprop plugin, of which sasldb is one. There is also an
included mysql auxprop plugin, as well as a LDAP auxprop patch that is on
surf.org.uk.
The ones that don't need any backend support:
ANONYMOUS
The ones that can get by with just saslauthd (but can use auxprop):
PLAIN
LOGIN
The ones that need auxprop support:
CRAM-MD5
DIGEST-MD5
NTLM
OTP
SRP
The ones that require a separate infrastructure:
KERBEROS_V4
GSSAPI
> What are the options for each module and how do
> you set them ?
Again, doc/options.html. You set them in an application-specific way (in
Cyrus IMAP, you set sasl_[optionname] in imapd.conf). You can also
specify them in a file that is /usr/lib/sasl2/servicename.conf
> What is the difference between LOGIN and PLAIN ?
LOGIN is not a standards-track mechanism. It also doesn't support proxy
authorization.
-Rob
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper
More information about the Info-cyrus
mailing list