saslauthd: support several authentication methods
Patrick Ben Koetter
p at state-of-mind.de
Sat Jan 2 08:38:23 UTC 2010
Dan,
* Dan White <dwhite at olp.net>:
> On 29/12/09 21:51 +0100, Patrick Ben Koetter wrote:
> >* Dan White <dwhite at olp.net>:
> >>On 29/12/09 11:08 +0100, Patrick Ben Koetter wrote:
> >>>My current workload is high. I need to revise "The book of Postfix" for
> >>>Postfix 2.7 and I will meet Alexey Melnikov (Cyrus SASL maintainer) end of
> >>>January to create and add documentation upstream.
> >>>
> >>>p at rick
> >>
> >>Patrick,
> >>
> >>Can you post a link or bug number? I'll try to take a look at them as well.
> >
> >Thanks. Everything I have written so far resides in the repository below:
> >
> > pkg-cyrus-sasl2/cyrus-sasl-2.1/trunk/debian/doc
>
> Patrick,
>
> Looks great! Here are some comments for your consideration.
thanks for the detailed feedback.
I plan to pickup up work on the documentation end of January beginning of
February. Depends on how smooth projects at work evolve.
> In libsasl.5, the warning about ldapdb not applying to auto_transition is
> no longer correct. The ldapdb auxprop does support the store function (see
> ldapdb_auxprop_store), and does work with auto_transition.
I can't program and therefore I don't really understand code when I read i
(sometimes I seem to do). I'll pick that up anyway and add it to the docs.
> In libsasl.5 under 'auxprop_plugin', you have 'A whitespace-separated list
> of one or more auxiliary plugins used if the pwcheck_method parameter
> specifies auxprop as an option.'
>
> This is partially true. The auxprop plugins will be used for the
> PLAIN/LOGIN mechanisms if the pwcheck_method parameter includes auxprop as
> an option. However, auxprop(s) will be used regardless of the pwcheck_method
> setting, when authenticating DIGEST-MD5/CRAM-MD5/OTP/SRP. They will also be
> used when auto_transition is enabled.
Okay.
> I have a difference with how the following options are documented in
> options.html. I believe the following to be more accurate:
>
> authdaemond_path - On Debian, the default is /var/run/courier/authdaemon/socket
>
> auxprop_plugin - The default is to use all initialized auxprop plugins.
>
> mech_list - The default is to use (offer) all initialized authentication
> mechanisms.
>
> saslauthd_path - On Debian, the default is /var/run/saslauthd/mux
>
> The following options (as of 2.1.24 rc1) are not documented yet in your man
> pages:
>
> canon_user_plugin
> keytab
> ldapdb_canon_attr
That one is new to me.
> ntlm_server
> ntlm_v2
> opiekeys
> otp_mda
> plugin_list
This is new to me either.
> reauth_timeout
> srp_mda
> srvtab
Your list is correct. I have omitted those for the moment, since they belong
to GSSAPI or OTP and I haven't had time to set those up and work with them
yet.
I plan to deal with them once the current docs have become more stable.
> You might want to include a brief discussion of user canonicalization
> plugins in libsasl.5 (including the canon_user_plugin option). As of 2.1.24
> rc1, 'ldapdb' is a supported parameter for that option.
*PHEW* I've heard about them but I have never used them. All I know is that
you can use a canonicalization plugin to "rewrite '!' to '@'". Anything you
can add is very welcome.
> In ldapdb.5:
>
> States that "The LDAP server must authorize the ldapdb proxy user to access
> the authenticating users userPassword and "... retrieve the authenticating
> users userPassword". The sasl library may also retrieve or update these
> parameters:
>
> cmusaslsecretOTP
> cmusaslsecretSRP
>
> This isn't ldapdb specific, and should be true of all auxprop plugins. OTP
> I've used. SRP I haven't, so I can't personally vouch for cmusaslsecretSRP.
Okay. I'll fix that.
> ldapdb_uri - has no default and is mandatory for ldapdb initialization (as
> either an auxprop or canon_user plugin).
Yep.
> ldapdb_mech - by default will use the strongest mechanism (as determined by
> the local sasl library) offered by the LDAP server.
That's a noteworthy detail. Thanks.
> ldapdb_canon_attr - new in 2.1.24 rc1. From options.html: "Use the value of
> the specified attribute as the user's canonical name. The attribute will be
> looked up in the user's LDAP entry. This setting must be configured in
> order to use LDAPDB as a canonuser plugin."
>
> I did not take a close look at saslauthd.conf.5 or sql.5 since I have not
> used either.
Thanks,
p at rick
--
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
More information about the Pkg-cyrus-sasl2-debian-devel
mailing list