saslauthd

Ondrej Sury ondrej at sury.org
Tue Aug 23 05:43:24 EDT 2005


On Tue, 2005-08-23 at 14:31 +0530, Gobbledegeek wrote:
> OK I got it working with sasl_pwcheck-method = auxprop in /etc/imapd.conf. 
> But why isn't there a simple statement advising this in the loads of
> documentation?  So much time wasted for want of a simple communiqe.
>
> [...useless rant...]
> 
> f!@#$% programmers! 

f!@#$% users who cannot read documentation?  Even if somebody recommends
them to read it?

from doc/sysadmin.html (from cyrus-sasl distribution tarball):

--cut here--
The principal concern for system administrators is how the
authentication identifier and password are verified. The Cyrus SASL
library is flexible in this regard:

auxprop 
        checks passwords agains the userPassword attribute supplied by
        an auxiliary property plugin. For example, SASL ships with a
        sasldb auxiliary property plugin, that can be used to
        authenticate against the passwords stored in /etc/sasldb2. Since
        other mechanisms also use this database for passwords, using
        this method will allow SASL to provide a uniform password
        database to a large number of mechanisms.

saslauthd
        contacts the saslauthd daemon to to check passwords using a
        variety of mechanisms. More information about the various
        invocations of saslauthd can be can be found in saslauthd(8).
        Generally you want something like saslauthd -a pam. If plaintext
        authentications seem to be taking some time under load,
        increasing the value of the -n parameter can help.
        
        Saslauthd keeps its named socket in "/var/state/saslauthd" by
        default. This can be overridden by specifying an alternate value
        to --with-saslauthd=/foo/bar at compile time, or by passing the
        -m parameter to saslauthd (along with setting the saslauthd_path
        SASL option). Whatever directory this is, it must exist in order
        for saslauthd to function.
        
        Once you configure (and start) saslauthd, there is a
        testsaslauthd program that can be built with make testsaslauthd
        in the saslauthd subdirectory of the source. This can be used to
        check that that the saslauthd daemon is installed and running
        properly. An invocation like testsaslauthd -u rjs3 -p 1234 with
        appropriate values for the username and password should do the
        trick.
        
        If you are using the PAM method to verify passwords with
        saslauthd, keep in mind that your PAM configuration will need to
        be configured for each service name that is using saslauthd for
        authentication. Common service names are "imap", "sieve", and
        "smtp".
        
Courier-IMAP authdaemond
        contacts Courier-IMAP's authdaemond daemon to check passwords.
        This daemon is simliar in functionality to saslauthd, and is
        shipped separately with the Courier mail server. 
        
        Note: this feature is not compiled in the library by default,
        and its provided for sites with custom/special requirements only
        (because the internal authentication protocol its not documented
        anywhere so it could change at any time). We have tested against
        the authdaemond included with Courier-IMAP 2.2.1.
        
        To enable authdaemond support, pass --with-authdaemon to the
        configuration script, set pwcheck_method to ``authdaemond'' and
        point authdaemon_path to authdaemond's unix socket. Optionally,
        you can specify --with-authdaemond=PATH to the configure script
        so that authdaemond_path points to a default, static, location.
        
pwcheck
        checks passwords with the use of a separate, helper daemon. This
        feature is for backwards-compatibility only. New installations
        should use saslauthd.
--cut here--

-- 
Ondrej Sury <ondrej at sury.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : https://lists.andrew.cmu.edu/mailman/private/info-cyrus/attachments/20050823/404f9abf/attachment.bin


More information about the Info-cyrus mailing list