saslauthd vs auxprop

[Adam Tauno Williams]

On Sun, 2011-01-09 at 23:38 -0800, Andrew Morgan wrote: 
> On Sun, 9 Jan 2011, jonr at destar.net wrote:
> > I cannot wrap my mind around saslauthd and auxprop.
> > Does auxprop use the sasldb file to authenticate users that have been
> > added using the 'saslpasswd2' command?
> > What is saslauthd trying to use for authentication, would it be the
> > mechs shown in a 'saslauthd -v' output?
> > What does changing the value in the Sendmail.conf file from saslauthd
> > to auxprop or vice versa doing?
> > Running a ps I see that saslauthd is using the shadow mech:
> > /usr/sbin/saslauthd -m /var/run/saslauthd -a shadow
> > But I have no users in the shadow file other than cyrus and my users
> > for my mail server are in the sasldb file?
> > I have read the documentation on the cyrus site, the man pages and
> > searched the mailing list but I still cannot grasp what seems to be a
> > simple concept.
> > Can someone shed some light or at least point me in the right direction?
> Hopefully I get this right!  There are basically 2 high-level choices to 
> make: saslauthd or auxprop.  saslauthd is an external daemon process that 
> your program communicates with via a unix socket.  auxprop uses C library 
> modules that are loaded by libsasl into your program.
> saslauthd support a few different authentication mechanisms.  The most 
> popular are PAM and passwd/shadow.

The most important part here is that saslauthd [much like PAM] can only
provide chat-expect authentication mechanisms - like LOGIN and PLAIN.
So, in short, only insecure authentication mechanisms.

> Auxprop is usually used for sasldb, but I think there are several 
> different modules that can be used.  I'm fuzzy on auxprop so maybe someone 
> else can fill in more detail here.

auxprop is used to implement 'real' SASL mechanisms [Kerberos, digest,
otp, etcc...]  The purpose is to tie external servers [your MTA, DSA,
etc...] into the SASL framework.