saslauthd: support several authentication methods

Patrick Ben Koetter p at state-of-mind.de
Sat Jan 2 08:38:23 UTC 2010 

Dan,

* Dan White <dwhite at olp.net>:
> On 29/12/09 21:51 +0100, Patrick Ben Koetter wrote:
> >* Dan White <dwhite at olp.net>:
> >>On 29/12/09 11:08 +0100, Patrick Ben Koetter wrote:
> >>>My current workload is high. I need to revise "The book of Postfix" for
> >>>Postfix 2.7 and I will meet Alexey Melnikov (Cyrus SASL maintainer) end of
> >>>January to create and add documentation upstream.
> >>>
> >>>p at rick
> >>
> >>Patrick,
> >>
> >>Can you post a link or bug number? I'll try to take a look at them as well.
> >
> >Thanks. Everything I have written so far resides in the repository below:
> >
> > pkg-cyrus-sasl2/cyrus-sasl-2.1/trunk/debian/doc
> 
> Patrick,
> 
> Looks great! Here are some comments for your consideration.

thanks for the detailed feedback.

I plan to pickup up work on the documentation end of January beginning of
February. Depends on how smooth projects at work evolve.


> In libsasl.5, the warning about ldapdb not applying to auto_transition is
> no longer correct. The ldapdb auxprop does support the store function (see
> ldapdb_auxprop_store), and does work with auto_transition.

I can't program and therefore I don't really understand code when I read i
(sometimes I seem to do). I'll pick that up anyway and add it to the docs.


> In libsasl.5 under 'auxprop_plugin', you have 'A whitespace-separated list
> of one or more auxiliary plugins used if the pwcheck_method parameter
> specifies auxprop as an option.'
> 
> This is partially true. The auxprop plugins will be used for the
> PLAIN/LOGIN mechanisms if the pwcheck_method parameter includes auxprop as
> an option. However, auxprop(s) will be used regardless of the pwcheck_method
> setting, when authenticating DIGEST-MD5/CRAM-MD5/OTP/SRP. They will also be
> used when auto_transition is enabled.

Okay.


> I have a difference with how the following options are documented in
> options.html. I believe the following to be more accurate:
> 
> authdaemond_path - On Debian, the default is /var/run/courier/authdaemon/socket
> 
> auxprop_plugin - The default is to use all initialized auxprop plugins.
> 
> mech_list - The default is to use (offer) all initialized authentication
> mechanisms.
> 
> saslauthd_path - On Debian, the default is /var/run/saslauthd/mux
> 
> The following options (as of 2.1.24 rc1) are not documented yet in your man
> pages:
> 
> canon_user_plugin
> keytab
> ldapdb_canon_attr

That one is new to me.

> ntlm_server
> ntlm_v2
> opiekeys
> otp_mda
> plugin_list

This is new to me either.


> reauth_timeout
> srp_mda
> srvtab

Your list is correct. I have omitted those for the moment, since they belong
to GSSAPI or OTP and I haven't had time to set those up and work with them
yet.

I plan to deal with them once the current docs have become more stable.


> You might want to include a brief discussion of user canonicalization
> plugins in libsasl.5 (including the canon_user_plugin option). As of 2.1.24
> rc1, 'ldapdb' is a supported parameter for that option.

*PHEW* I've heard about them but I have never used them. All I know is that
you can use a canonicalization plugin to "rewrite '!' to '@'". Anything you
can add is very welcome.


> In ldapdb.5:
> 
> States that "The LDAP server must authorize the ldapdb proxy user to access
> the authenticating users userPassword and "... retrieve the authenticating
> users userPassword". The sasl library may also retrieve or update these
> parameters:
> 
> cmusaslsecretOTP
> cmusaslsecretSRP
> 
> This isn't ldapdb specific, and should be true of all auxprop plugins. OTP
> I've used. SRP I haven't, so I can't personally vouch for cmusaslsecretSRP.

Okay. I'll fix that.


> ldapdb_uri - has no default and is mandatory for ldapdb initialization (as
> either an auxprop or canon_user plugin).

Yep.


> ldapdb_mech - by default will use the strongest mechanism (as determined by
> the local sasl library) offered by the LDAP server.

That's a noteworthy detail. Thanks.


> ldapdb_canon_attr - new in 2.1.24 rc1. From options.html: "Use the value of
> the specified attribute as the user's canonical name. The attribute will be
> looked up in the user's LDAP entry. This setting must be configured in
> order to use LDAPDB as a canonuser plugin."
> 
> I did not take a close look at saslauthd.conf.5 or sql.5 since I have not
> used either.

Thanks,

p at rick


-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>

More information about the Pkg-cyrus-sasl2-debian-devel mailing list