On Mon, 4 Nov 2002, David H. Lynch Jr. wrote: > My problems seem to come from a weak understanding of SASL. I > have searched the net, the archives, and while there are RFC's and > programming information I have not found anything that approximates a > users guide to using SASL.
You mean something like doc/sysadmin.html in the distribution, or something more specific? If you think something is missing, we're willing to add it, though, based on some of your questions I'm guessing you didn't look in the doc subdirectory at all. Of course, a guide for "the ground up with SASL" will be hard to write so that it will work in any enviornment, since authentication and authorization is almost always a site-specific thing. The SASL library does its best to work everywhere, but in some ways it's a tremendously difficult problem to get right. I'll try to answer your questions though: > If I select a particular authentication module - say GSSAPI or NTLM, > where does it get any configuration information it might need, and how > do I figure out what options there are ? I have even looked through the > source for some of the modules and cursory looks are not revealing. doc/options.html lists all the options for anything that is included in the library. > Can someone point me to some kind of user docs for libsasl 2.1.9 ? Look in the doc subdirectory, but... > Something that would answer questions like: > Do all methods depend on sasldb ? No. No mechanisms depend on sasldb. A number of them do depend on the presense of an auxprop plugin, of which sasldb is one. There is also an included mysql auxprop plugin, as well as a LDAP auxprop patch that is on surf.org.uk. The ones that don't need any backend support: ANONYMOUS The ones that can get by with just saslauthd (but can use auxprop): PLAIN LOGIN The ones that need auxprop support: CRAM-MD5 DIGEST-MD5 NTLM OTP SRP The ones that require a separate infrastructure: KERBEROS_V4 GSSAPI > What are the options for each module and how do > you set them ? Again, doc/options.html. You set them in an application-specific way (in Cyrus IMAP, you set sasl_[optionname] in imapd.conf). You can also specify them in a file that is /usr/lib/sasl2/servicename.conf > What is the difference between LOGIN and PLAIN ? LOGIN is not a standards-track mechanism. It also doesn't support proxy authorization. -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
