<!DOCTYPE html>
<!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]-->
<head>
  <meta charset="utf-8">
  
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  
  <title>System Administrators &mdash; Cyrus SASL 2.1.27 documentation</title>
  

  
  
    <link rel="shortcut icon" href="../_static/favicon.ico"/>
  

  

  
  
    

  

  
  
    <link rel="stylesheet" href="../_static/css/theme.css" type="text/css" />
  

  
    <link rel="stylesheet" href="../_static/cyrus.css" type="text/css" />
  

  
        <link rel="index" title="Index"
              href="../genindex.html"/>
        <link rel="search" title="Search" href="../search.html"/>
    <link rel="top" title="Cyrus SASL 2.1.27 documentation" href="../index.html"/>
        <link rel="up" title="Operations" href="../operations.html"/>
        <link rel="next" title="Man pages" href="manpages.html"/>
        <link rel="prev" title="Operations" href="../operations.html"/> 

  
  
  

</head>

<body class="wy-body-for-nav" role="document">

  
  
<div class="pageheader">
  <ul>
    <li><a href="../index.html">Home</a></li>
    <li><a href="http://www.cyrusimap.org">Cyrus IMAP</a></li>
    <li><a href="../download.html">Download</a></li>
    <li><a href="../contribute.html">Contribute</a></li>
  </ul>
  <div>
    <a href="../index.html">
      <img src="../_static/logo.gif" alt="CYRUS SASL" />
    </a>
  </div>
</div>
<div style="clear: both;"></div>


  <div class="wy-grid-for-nav">

    
    <nav data-toggle="wy-nav-shift" class="wy-nav-side">
      <div class="wy-side-nav-search">
        

        
 
          <a href="../index.html">
 

  
          
          <img src="../_static/logo.gif"  />
     
        </a>

        
<div role="search">
  <form id="rtd-search-form" class="wy-form" action="../search.html" method="get">
    <input type="text" name="q" placeholder="Search docs" />
    <input type="hidden" name="check_keywords" value="yes" />
    <input type="hidden" name="area" value="default" />
  </form>
</div>

        
      </div>

      <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
        
          
          
              <p class="caption"><span class="caption-text">Cyrus SASL</span></p>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../download.html">Download</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../getsasl.html">Get SASL</a><ul>
<li class="toctree-l3"><a class="reference internal" href="installation.html">Installation</a><ul>
<li class="toctree-l4"><a class="reference internal" href="installation.html#quick-install-guide">Quick install guide</a></li>
<li class="toctree-l4"><a class="reference internal" href="installation.html#detailed-installation-guide">Detailed installation guide</a></li>
<li class="toctree-l4"><a class="reference internal" href="installation.html#supported-platforms">Supported platforms</a></li>
</ul>
</li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="release-notes/index.html">Release Notes</a><ul>
<li class="toctree-l3"><a class="reference internal" href="release-notes/index.html#supported-product-series">Supported Product Series</a><ul>
<li class="toctree-l4"><a class="reference internal" href="release-notes/index.html#series-2-1">Series 2.1</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="release-notes/index.html#older-versions">Older Versions</a><ul>
<li class="toctree-l4"><a class="reference internal" href="release-notes/index.html#series-2-2-0">Series 2: 2.0</a></li>
<li class="toctree-l4"><a class="reference internal" href="release-notes/index.html#series-1">Series 1</a></li>
</ul>
</li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../packager.html">Note for Packagers</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="quickstart.html">Quickstart guide</a><ul>
<li class="toctree-l2"><a class="reference internal" href="quickstart.html#features">Features</a></li>
<li class="toctree-l2"><a class="reference internal" href="quickstart.html#typical-installation">Typical Installation</a></li>
<li class="toctree-l2"><a class="reference internal" href="quickstart.html#configuration">Configuration</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="concepts.html">Concepts</a><ul>
<li class="toctree-l2"><a class="reference internal" href="concepts.html#sasl">SASL</a></li>
<li class="toctree-l2"><a class="reference internal" href="concepts.html#sasl-authentication-mechanisms">SASL Authentication Mechanisms</a></li>
<li class="toctree-l2"><a class="reference internal" href="concepts.html#security-layers">Security Layers</a></li>
<li class="toctree-l2"><a class="reference internal" href="concepts.html#channel-binding">Channel Binding</a></li>
<li class="toctree-l2"><a class="reference internal" href="concepts.html#realms">Realms</a></li>
<li class="toctree-l2"><a class="reference internal" href="concepts.html#protocols">Protocols</a></li>
<li class="toctree-l2"><a class="reference internal" href="concepts.html#cyrus-sasl">Cyrus SASL</a></li>
<li class="toctree-l2"><a class="reference internal" href="concepts.html#the-glue-library">The Glue Library</a></li>
<li class="toctree-l2"><a class="reference internal" href="concepts.html#auxiliary-properties">Auxiliary Properties</a></li>
<li class="toctree-l2"><a class="reference internal" href="concepts.html#plugins">Plugins</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../setup.html">Setup</a><ul>
<li class="toctree-l2"><a class="reference internal" href="installation.html">Installation</a><ul>
<li class="toctree-l3"><a class="reference internal" href="installation.html#quick-install-guide">Quick install guide</a><ul>
<li class="toctree-l4"><a class="reference internal" href="installation.html#tarball-installation">Tarball installation</a></li>
<li class="toctree-l4"><a class="reference internal" href="installation.html#unix-package-installation">Unix package Installation</a></li>
<li class="toctree-l4"><a class="reference internal" href="installation.html#configuration">Configuration</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="installation.html#detailed-installation-guide">Detailed installation guide</a><ul>
<li class="toctree-l4"><a class="reference internal" href="installation.html#requirements">Requirements</a></li>
<li class="toctree-l4"><a class="reference internal" href="installation.html#build-configuration">Build Configuration</a></li>
<li class="toctree-l4"><a class="reference internal" href="installation.html#building-and-installation">Building and Installation</a></li>
<li class="toctree-l4"><a class="reference internal" href="installation.html#compilation-hints">Compilation Hints</a></li>
<li class="toctree-l4"><a class="reference internal" href="installation.html#application-configuration">Application Configuration</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="installation.html#supported-platforms">Supported platforms</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="upgrading.html">Upgrading from v1 to v2</a><ul>
<li class="toctree-l3"><a class="reference internal" href="upgrading.html#backwards-compatibility">Backwards Compatibility</a></li>
<li class="toctree-l3"><a class="reference internal" href="upgrading.html#coexistence-with-saslv1">Coexistence with SASLv1</a></li>
<li class="toctree-l3"><a class="reference internal" href="upgrading.html#database-upgrades">Database Upgrades</a></li>
<li class="toctree-l3"><a class="reference internal" href="upgrading.html#errors-on-migration">Errors on migration</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="components.html">Components</a><ul>
<li class="toctree-l3"><a class="reference internal" href="components.html#the-application">The Application</a></li>
<li class="toctree-l3"><a class="reference internal" href="components.html#the-sasl-glue-layer">The SASL Glue Layer</a></li>
<li class="toctree-l3"><a class="reference internal" href="components.html#plugins">Plugins</a><ul>
<li class="toctree-l4"><a class="reference internal" href="components.html#plugins-general">Plugins: General</a></li>
<li class="toctree-l4"><a class="reference internal" href="components.html#plugins-sasl-mechanisms">Plugins: SASL Mechanisms</a></li>
<li class="toctree-l4"><a class="reference internal" href="components.html#plugins-auxiliary-property">Plugins: Auxiliary Property</a></li>
<li class="toctree-l4"><a class="reference internal" href="components.html#plugins-username-canonicalization">Plugins: Username Canonicalization</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="components.html#password-verification-services">Password Verification Services</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="options.html">Options</a><ul>
<li class="toctree-l3"><a class="reference internal" href="options.html#sasl-library">SASL Library</a></li>
<li class="toctree-l3"><a class="reference internal" href="options.html#auxiliary-property-plugin">Auxiliary Property Plugin</a></li>
<li class="toctree-l3"><a class="reference internal" href="options.html#gssapi">GSSAPI</a></li>
<li class="toctree-l3"><a class="reference internal" href="options.html#ldapdb">LDAPDB</a><ul>
<li class="toctree-l4"><a class="reference internal" href="options.html#notes-on-ldapdb">Notes on LDAPDB</a></li>
<li class="toctree-l4"><a class="reference internal" href="options.html#examples">Examples</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="options.html#ntlm">NTLM</a></li>
<li class="toctree-l3"><a class="reference internal" href="options.html#otp">OTP</a></li>
<li class="toctree-l3"><a class="reference internal" href="options.html#digest-md5">Digest-md5</a></li>
<li class="toctree-l3"><a class="reference internal" href="options.html#sasldb">SASLDB</a><ul>
<li class="toctree-l4"><a class="reference internal" href="options.html#notes-on-sasldb-with-lmdb">Notes on sasldb with LMDB</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="options.html#sql-plugin">SQL Plugin</a><ul>
<li class="toctree-l4"><a class="reference internal" href="options.html#notes-on-sql">Notes on SQL</a></li>
<li class="toctree-l4"><a class="reference internal" href="options.html#id2">Examples</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="options.html#srp">SRP</a></li>
<li class="toctree-l3"><a class="reference internal" href="options.html#kerberos-v4">Kerberos V4</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="advanced.html">Advanced Usage</a><ul>
<li class="toctree-l3"><a class="reference internal" href="advanced.html#notes-for-advanced-usage-of-libsasl">Notes for Advanced Usage of libsasl</a><ul>
<li class="toctree-l4"><a class="reference internal" href="advanced.html#using-cyrus-sasl-as-a-static-library">Using Cyrus SASL as a static library</a></li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
<li class="toctree-l1 current"><a class="reference internal" href="../operations.html">Operations</a><ul class="current">
<li class="toctree-l2 current"><a class="current reference internal" href="#">System Administrators</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#what-sasl-is">What SASL is</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#authentication-and-authorization-identifiers">Authentication and authorization identifiers</a></li>
<li class="toctree-l4"><a class="reference internal" href="#realms">Realms</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="#how-sasl-works">How SASL works</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#the-plain-mechanism-sasl-checkpass-and-plaintext-passwords">The PLAIN mechanism, <code class="docutils literal"><span class="pre">sasl_checkpass()</span></code>, and plaintext passwords</a></li>
<li class="toctree-l4"><a class="reference internal" href="#shared-secrets-mechanisms">Shared secrets mechanisms</a></li>
<li class="toctree-l4"><a class="reference internal" href="#kerberos-mechanisms">Kerberos mechanisms</a></li>
<li class="toctree-l4"><a class="reference internal" href="#the-otp-mechanism">The OTP mechanism</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="#auxiliary-properties">Auxiliary Properties</a></li>
<li class="toctree-l3"><a class="reference internal" href="#how-to-set-configuration-options">How to set configuration options</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#the-default-configuration-file">The default configuration file</a></li>
<li class="toctree-l4"><a class="reference internal" href="#application-configuration">Application configuration</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="#troubleshooting">Troubleshooting</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="manpages.html">Man pages</a><ul>
<li class="toctree-l3"><a class="reference internal" href="manpages.html#library-files">(3) Library Files</a><ul>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl.html"><strong>SASL</strong> - SASL Authentication Library</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_authorize_t.html"><strong>sasl_authorize_t</strong> - The SASL authorization callback</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_auxprop.html"><strong>sasl_auxprop</strong> - How to work with SASL auxiliary properties</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_auxprop_add_plugin.html"><strong>sasl_auxprop_add_plugin</strong> - add a SASL auxiliary property plugin</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_auxprop_getctx.html"><strong>sasl_auxprop_getctx</strong> - Acquire an auxiliary property context</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_auxprop_request.html"><strong>sasl_auxprop_request</strong> - Request auxiliary properties from SASL</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_callbacks.html"><strong>sasl_callbacks</strong> - How to work with SASL callbacks</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_canon_user_t.html"><strong>sasl_canon_user_t</strong> - Application-supplied user canonicalization function</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_canonuser_add_plugin.html"><strong>sasl_canonuser_add_plugin</strong> - add a SASL user canonicalization plugin</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_chalprompt_t.html"><strong>sasl_chalprompt_t</strong> - Realm acquisition callback</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_checkapop.html"><strong>sasl_checkapop</strong> - Check an APOP challenge/response</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_checkpass.html"><strong>sasl_checkpass</strong> - Check a plaintext password</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_client_add_plugin.html"><strong>sasl_client_add_plugin</strong> - add a SASL client plugin</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_client_done.html"><strong>sasl_client_done</strong> - Cleanup function</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_client_init.html"><strong>sasl_client_init</strong> - SASL client authentication initialization</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_client_new.html"><strong>sasl_client_new</strong> - Create a new client authentication object</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_client_plug_init_t.html"><strong>sasl_client_plug_init_t</strong> - client plug‐in entry point</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_client_start.html"><strong>sasl_client_start</strong> - Begin an authentication negotiation</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_client_step.html"><strong>sasl_client_step</strong> - Perform a step in the authentication negotiation</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_decode.html"><strong>sasl_decode</strong> - Decode data received</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_decode64.html"><strong>sasl_decode64</strong> - Decode base64 string</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_dispose.html"><strong>sasl_dispose</strong> - Dispose of a SASL connection object</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_done.html"><strong>sasl_done</strong> - Dispose of a SASL connection object</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_encode.html"><strong>sasl_encode</strong> - Encode data for transport to authenticated host</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_encode64.html"><strong>sasl_encode64</strong> - Encode base64 string</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_encodev.html"><strong>sasl_encodev</strong> - Encode data for transport to authenticated host</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_erasebuffer.html"><strong>sasl_erasebuffer</strong> - erase buffer</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_errdetail.html"><strong>sasl_errdetail</strong> - Retrieve  detailed information about an error</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_errors.html"><strong>sasl_errors</strong> - SASL error codes</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_errstring.html"><strong>sasl_errstring</strong> - Translate a SASL return code to a human-readable form</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_getcallback_t.html"><strong>sasl_getcallback_t</strong> - callback function to lookup a sasl_callback_t for a connection</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_getconfpath_t.html"><strong>sasl_getconfpath_t</strong> - The SASL callback to indicate location of the config files</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_getopt_t.html"><strong>sasl_getopt_t</strong> - The SASL get option callback</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_getpath_t.html"><strong>sasl_getpath_t</strong> - The SASL callback to indicate location of the mechanism drivers</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_getprop.html"><strong>sasl_getprop</strong> - Get a SASL property</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_getrealm_t.html"><strong>sasl_getrealm_t</strong> - Realm Acquisition Callback</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_getsecret_t.html"><strong>sasl_getsecret_t</strong> - The SASL callback for secrets (passwords)</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_getsimple_t.html"><strong>sasl_getsimple_t</strong> - The SASL callback for username/authname/realm</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_global_listmech.html"><strong>sasl_global_listmech</strong> - Retrieve a list of the supported SASL mechanisms</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_idle.html"><strong>sasl_idle</strong> - Perform precalculations during an idle period</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_listmech.html"><strong>sasl_listmech</strong> - Retrieve a list of the supported SASL mechanisms</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_log_t.html"><strong>sasl_log_t</strong> - The SASL logging callback</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_server_add_plugin.html"><strong>sasl_server_add_plugin</strong> - add a SASL server plugin</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_server_done.html"><strong>sasl_server_done</strong> - Cleanup function</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_server_init.html"><strong>sasl_server_init</strong> - SASL server authentication initialization</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_server_new.html"><strong>sasl_server_new</strong> - Create a new server authentication object</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_server_plug_init_t.html"><strong>sasl_server_plug_init_t</strong> - server plug‐in entry point</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_server_start.html"><strong>sasl_server_start</strong> - Begin an authentication negotiation</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_server_step.html"><strong>sasl_server_step</strong> - Perform a step in the authentication negotiation</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_server_userdb_checkpass_t.html"><strong>sasl_server_userdb_checkpass_t</strong> - Plaintext Password Verification Callback</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_server_userdb_setpass_t.html"><strong>sasl_server_userdb_setpass_t</strong> - UserDB Plaintext Password Setting Callback</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_set_alloc.html"><strong>sasl_set_alloc</strong> - set the memory allocation functions used by the SASL library</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_set_mutex.html"><strong>sasl_set_mutex</strong> - set the mutex lock functions used by the SASL library</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_seterror.html"><strong>sasl_seterror</strong> - set the error string</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_setpass.html"><strong>sasl_setpass</strong> - Check a plaintext password</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_setprop.html"><strong>sasl_setprop</strong> - Set a SASL property</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_user_exists.html"><strong>sasl_user_exists</strong> - Check if a user exists on server</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_usererr.html"><strong>sasl_usererr</strong> - Remove information leak about accounts from sasl error codes</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_utf8verify.html"><strong>sasl_utf8verify</strong> - Verify a string is valid utf8</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_verifyfile_t.html"><strong>sasl_verifyfile_t</strong> - The SASL file verification</a></li>
</ul>
</li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="auxiliary_properties.html">Auxiliary Properties</a><ul>
<li class="toctree-l3"><a class="reference internal" href="auxiliary_properties.html#auxiliary-properties-and-the-glue-layer">Auxiliary Properties and the Glue Layer</a></li>
<li class="toctree-l3"><a class="reference internal" href="auxiliary_properties.html#passwords-and-other-data">Passwords and other Data</a></li>
<li class="toctree-l3"><a class="reference internal" href="auxiliary_properties.html#sasldb">sasldb</a></li>
<li class="toctree-l3"><a class="reference internal" href="auxiliary_properties.html#ldapdb">ldapdb</a></li>
<li class="toctree-l3"><a class="reference internal" href="auxiliary_properties.html#sql">sql</a></li>
<li class="toctree-l3"><a class="reference internal" href="auxiliary_properties.html#user-canonicalization">User Canonicalization</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="authentication_mechanisms.html">Authentication Mechanisms</a><ul>
<li class="toctree-l3"><a class="reference internal" href="authentication_mechanisms.html#mechanisms">Mechanisms</a><ul>
<li class="toctree-l4"><a class="reference internal" href="authentication_mechanisms.html#anonymous">ANONYMOUS</a></li>
<li class="toctree-l4"><a class="reference internal" href="authentication_mechanisms.html#cram-md5">CRAM-MD5</a></li>
<li class="toctree-l4"><a class="reference internal" href="authentication_mechanisms.html#digest-md5">DIGEST-MD5</a></li>
<li class="toctree-l4"><a class="reference internal" href="authentication_mechanisms.html#external">EXTERNAL</a></li>
<li class="toctree-l4"><a class="reference internal" href="authentication_mechanisms.html#g2">G2</a></li>
<li class="toctree-l4"><a class="reference internal" href="authentication_mechanisms.html#gssapi">GSSAPI</a></li>
<li class="toctree-l4"><a class="reference internal" href="authentication_mechanisms.html#gss-spegno">GSS-SPEGNO</a></li>
<li class="toctree-l4"><a class="reference internal" href="authentication_mechanisms.html#kerberos-v4">KERBEROS_V4</a></li>
<li class="toctree-l4"><a class="reference internal" href="authentication_mechanisms.html#login">LOGIN</a></li>
<li class="toctree-l4"><a class="reference internal" href="authentication_mechanisms.html#ntlm">NTLM</a></li>
<li class="toctree-l4"><a class="reference internal" href="authentication_mechanisms.html#otp">OTP</a></li>
<li class="toctree-l4"><a class="reference internal" href="authentication_mechanisms.html#passdss">PASSDSS</a></li>
<li class="toctree-l4"><a class="reference internal" href="authentication_mechanisms.html#plain">PLAIN</a></li>
<li class="toctree-l4"><a class="reference internal" href="authentication_mechanisms.html#scram">SCRAM</a></li>
<li class="toctree-l4"><a class="reference internal" href="authentication_mechanisms.html#srp">SRP</a></li>
<li class="toctree-l4"><a class="reference internal" href="authentication_mechanisms.html#non-sasl-authentication">Non-SASL Authentication</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="authentication_mechanisms.html#summary">Summary</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="pwcheck.html">Pwcheck</a><ul>
<li class="toctree-l3"><a class="reference internal" href="pwcheck.html#auxprop">Auxprop</a></li>
<li class="toctree-l3"><a class="reference internal" href="pwcheck.html#auxprop-hashed">Auxprop-hashed</a></li>
<li class="toctree-l3"><a class="reference internal" href="pwcheck.html#saslauthd">Saslauthd</a></li>
<li class="toctree-l3"><a class="reference internal" href="pwcheck.html#authdaemon">Authdaemon</a></li>
<li class="toctree-l3"><a class="reference internal" href="pwcheck.html#alwaystrue">Alwaystrue</a></li>
<li class="toctree-l3"><a class="reference internal" href="pwcheck.html#auto-transition">Auto Transition</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="faq.html">Frequently Asked Questions</a><ul>
<li class="toctree-l3"><a class="reference internal" href="faqs/authorize-vs-authenticate.html">What is the difference between an Authorization ID and a Authentication ID?</a></li>
<li class="toctree-l3"><a class="reference internal" href="faqs/crammd5-digestmd5.html">Why do CRAM-MD5 and DIGEST-MD5 not work with CyrusSaslauthd?</a></li>
<li class="toctree-l3"><a class="reference internal" href="faqs/openldap-sasl-gssapi.html">How do I configure OpenLDAP +SASL+GSSAPI?</a></li>
<li class="toctree-l3"><a class="reference internal" href="faqs/plaintextpasswords.html">Why does CyrusSasl store plaintext passwords in its databases?</a></li>
<li class="toctree-l3"><a class="reference internal" href="faqs/rfcs.html">RFCs and drafts</a></li>
<li class="toctree-l3"><a class="reference internal" href="faqs/upgrade-saslv2.html">Why am I having a problem running dbconverter-2 to upgrade from SASLv1 to SASLv2?</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="resources.html">Other Documentation &amp; Resources</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../developer.html">Developers</a><ul>
<li class="toctree-l2"><a class="reference internal" href="appconvert.html">Converting Applications from v1 to v2</a><ul>
<li class="toctree-l3"><a class="reference internal" href="appconvert.html#tips-for-both-clients-and-servers">Tips for both clients and servers</a></li>
<li class="toctree-l3"><a class="reference internal" href="appconvert.html#tips-for-clients">Tips for clients</a></li>
<li class="toctree-l3"><a class="reference internal" href="appconvert.html#tips-for-servers">Tips for Servers</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="developer/programming.html">Application Programmer’s Guide</a><ul>
<li class="toctree-l3"><a class="reference internal" href="developer/programming.html#introduction">Introduction</a><ul>
<li class="toctree-l4"><a class="reference internal" href="developer/programming.html#about-this-guide">About this Guide</a></li>
<li class="toctree-l4"><a class="reference internal" href="developer/programming.html#what-is-sasl">What is SASL?</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="developer/programming.html#background">Background</a><ul>
<li class="toctree-l4"><a class="reference internal" href="developer/programming.html#how-did-the-world-work-before-sasl">How did the world work before SASL?</a></li>
<li class="toctree-l4"><a class="reference internal" href="developer/programming.html#sasl-to-the-rescue">SASL to the rescue!</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="developer/programming.html#briefly">Briefly</a><ul>
<li class="toctree-l4"><a class="reference internal" href="developer/programming.html#what-is-the-cyrus-sasl-library-good-for">What is the Cyrus SASL library good for?</a></li>
<li class="toctree-l4"><a class="reference internal" href="developer/programming.html#what-does-the-cyrus-sasl-library-do">What does the Cyrus SASL library do?</a></li>
<li class="toctree-l4"><a class="reference internal" href="developer/programming.html#what-doesn-t-the-cyrus-sasl-library-do">What doesn’t the Cyrus SASL library do?</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="developer/programming.html#client-only-section">Client-only Section</a><ul>
<li class="toctree-l4"><a class="reference internal" href="developer/programming.html#a-typical-interaction-from-the-client-s-perspective">A typical interaction from the client’s perspective</a></li>
<li class="toctree-l4"><a class="reference internal" href="developer/programming.html#how-does-this-look-in-code">How does this look in code</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="developer/programming.html#server-only-section">Server-only Section</a><ul>
<li class="toctree-l4"><a class="reference internal" href="developer/programming.html#a-typical-interaction-from-the-server-s-perspective">A typical interaction from the server’s perspective</a></li>
<li class="toctree-l4"><a class="reference internal" href="developer/programming.html#id1">How does this look in code?</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="developer/programming.html#common-section">Common Section</a><ul>
<li class="toctree-l4"><a class="reference internal" href="developer/programming.html#callbacks-and-interactions">Callbacks and Interactions</a></li>
<li class="toctree-l4"><a class="reference internal" href="developer/programming.html#security-layers">Security layers</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="developer/programming.html#example-applications-that-come-with-the-cyrus-sasl-library">Example applications that come with the Cyrus SASL library</a><ul>
<li class="toctree-l4"><a class="reference internal" href="developer/programming.html#sample-client-and-sample-server"><cite>sample-client</cite> and <cite>sample-server</cite></a></li>
<li class="toctree-l4"><a class="reference internal" href="developer/programming.html#cyrus-imapd-v2-1-0-or-later">Cyrus imapd v2.1.0 or later</a></li>
<li class="toctree-l4"><a class="reference internal" href="developer/programming.html#imtest-from-cyrus-2-1-0-or-later"><cite>imtest</cite>, from Cyrus 2.1.0 or later</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="developer/programming.html#miscellaneous-information">Miscellaneous Information</a><ul>
<li class="toctree-l4"><a class="reference internal" href="developer/programming.html#empty-exchanges">Empty exchanges</a></li>
<li class="toctree-l4"><a class="reference internal" href="developer/programming.html#idle">Idle</a></li>
</ul>
</li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="developer/plugprog.html">Plugin Programmer’s Guide</a><ul>
<li class="toctree-l3"><a class="reference internal" href="developer/plugprog.html#introduction">Introduction</a><ul>
<li class="toctree-l4"><a class="reference internal" href="developer/plugprog.html#about-this-guide">About this Guide</a></li>
<li class="toctree-l4"><a class="reference internal" href="developer/plugprog.html#what-is-sasl">What is SASL?</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="developer/plugprog.html#common-section">Common Section</a><ul>
<li class="toctree-l4"><a class="reference internal" href="developer/plugprog.html#overview-of-plugin-programming">Overview of Plugin Programming</a></li>
<li class="toctree-l4"><a class="reference internal" href="developer/plugprog.html#use-of-sasl-utils-t">Use of sasl_utils_t</a></li>
<li class="toctree-l4"><a class="reference internal" href="developer/plugprog.html#error-reporting">Error Reporting</a></li>
<li class="toctree-l4"><a class="reference internal" href="developer/plugprog.html#memory-allocation">Memory Allocation</a></li>
<li class="toctree-l4"><a class="reference internal" href="developer/plugprog.html#client-send-first-server-send-last">Client Send First / Server Send Last</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="developer/plugprog.html#client-plugins">Client Plugins</a></li>
<li class="toctree-l3"><a class="reference internal" href="developer/plugprog.html#server-plugins">Server Plugins</a></li>
<li class="toctree-l3"><a class="reference internal" href="developer/plugprog.html#user-canonicalization-canon-user-plugins">User Canonicalization (canon_user) Plugins</a></li>
<li class="toctree-l3"><a class="reference internal" href="developer/plugprog.html#auxiliary-property-auxprop-plugins">Auxiliary Property (auxprop) Plugins</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="developer/testing.html">Testing</a><ul>
<li class="toctree-l3"><a class="reference internal" href="developer/testing.html#testing-the-cmu-sasl-library-with-the-included-sample-applications">Testing the CMU SASL Library with the included sample applications</a><ul>
<li class="toctree-l4"><a class="reference internal" href="developer/testing.html#example">Example</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="developer/testing.html#running-the-testsuite-application">Running the Testsuite application</a></li>
</ul>
</li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../support.html">Support/Community</a></li>
</ul>
<p class="caption"><span class="caption-text">IMAP</span></p>
<ul>
<li class="toctree-l1"><a class="reference external" href="http://www.cyrusimap.org">Cyrus IMAP</a></li>
</ul>

          
        
      </div>
      &nbsp;
    </nav>

    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">

      
      <nav class="wy-nav-top" role="navigation" aria-label="top navigation">
        <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
        <a href="../index.html">Cyrus SASL</a>
      </nav>


      
      <div class="wy-nav-content">
        <div class="rst-content">
          
          <div role="navigation" aria-label="breadcrumbs navigation">
  <ul class="wy-breadcrumbs">
      <li><a href="../index.html">Docs v2.1.27</a> &raquo;</li>
      
          <li><a href="../operations.html">Operations</a> &raquo;</li>
      
    <li>System Administrators</li>
      <li class="wy-breadcrumbs-aside">
        
          
            <a href="https://github.com/cyrusimap/cyrus-sasl/blob/master/docsrc/sasl/sysadmin.rst" class="fa fa-github"> Edit on GitHub</a>
          
        
      </li>
  </ul>
  <hr/>
</div>
          <div role="main" class="document">
            
  <div class="section" id="system-administrators">
<span id="sysadmin"></span><h1>System Administrators<a class="headerlink" href="#system-administrators" title="Permalink to this headline">¶</a></h1>
<p>This document covers configuring SASL for system administrators,
specifically those administrators who are installing a server that
uses the Cyrus SASL library.  You may want to read
<a class="reference internal" href="components.html#components"><span class="std std-ref">about components</span></a> which presents an
overview of the Cyrus SASL distribution
and describes how the components interact, as well as the <a class="reference internal" href="installation.html#installation"><span class="std std-ref">installation guide</span></a></p>
<div class="section" id="what-sasl-is">
<span id="saslintro"></span><h2>What SASL is<a class="headerlink" href="#what-sasl-is" title="Permalink to this headline">¶</a></h2>
<p>SASL, the Simple Authentication and Security Layer, is a generic
mechanism for protocols to accomplish authentication.  Since protocols
(such as SMTP or IMAP) use SASL, it is a natural place for code
sharing between applications.  Some notable applications that use the
Cyrus SASL library include <a class="reference external" href="http://www.sendmail.org">Sendmail</a>,
<a class="reference external" href="http://www.cyrusimap.org">Cyrus imapd</a>,
and <a class="reference external" href="http://www.openldap.org">OpenLDAP</a>.</p>
<p>Applications use the SASL library to tell them how to accomplish
the SASL protocol exchange, and what the results were.</p>
<p>SASL is only a framework: specific SASL mechanisms govern the
exact protocol exchange.  If there are n protocols and m different
ways of authenticating, SASL attempts to make it so only n plus m
different specifications need be written instead of n times m
different specifications.  With the Cyrus SASL library, the mechanisms
need only be written once, and they’ll work with all servers that use
it.</p>
<div class="section" id="authentication-and-authorization-identifiers">
<span id="authid"></span><h3>Authentication and authorization identifiers<a class="headerlink" href="#authentication-and-authorization-identifiers" title="Permalink to this headline">¶</a></h3>
<p>An important concept to become familiar with is the difference between
an “authorization identifier” and an “authentication identifier”.</p>
<dl class="docutils">
<dt>userid (user id, authorization id)</dt>
<dd>The userid is the
identifier an application uses to check allowable options.  On my Unix
system, the user <code class="docutils literal"><span class="pre">bovik</span></code> (the account of Harry Q. Bovik) is
allowed to write to <code class="docutils literal"><span class="pre">/home/bovik</span></code> and its subdirectories but
not to <code class="docutils literal"><span class="pre">/etc</span></code>.</dd>
<dt>authid (authentication id)</dt>
<dd><p class="first">The authentication identifier is
the identifier that is being checked.  “bovik“‘s password might be
“qqqq”, and the system will authenticate anyone who knows “qqqq” as
“bovik”.</p>
<p class="last">However, it’s possible to authenticate as one user but
<em>act as</em> another user.  For instance, Harry might be away on
vacation and assign one of his graduate students, Jane, to read his
mail.  He might then allow Jane to act as him merely by supplying her
password and her id as authentication but requesting authorization as
“bovik”. So Jane might log in with an authentication identifier of
“jane” and an authorization id of “bovik” and her own (Jane’s)
password.</p>
</dd>
</dl>
<p>Applications can set their own proxy policies; by default, the SASL
library will only allow the same user to act for another (that is,
userid must equal authid).  See your application’s documentation for
details about changing the default proxy/authorization policies.</p>
</div>
<div class="section" id="realms">
<span id="id1"></span><h3>Realms<a class="headerlink" href="#realms" title="Permalink to this headline">¶</a></h3>
<p>The Cyrus SASL library supports the concept of “realms”.  A realm is
an abstract set of users and certain mechanisms authenticate users in
a certain realm.</p>
<p>In the simplest case, a single server on a single machine, the
realm might be the fully-qualified domain name of the server.  If the
applications don’t specify a realm to SASL, most mechanisms will
default to this.</p>
<p>If a site wishes to share passwords between multiple machines, it
might choose it’s authentication realm as a domain name, such as
“CMU.EDU”.  On the other hand, in order to prevent the entire site’s
security from being compromised when one machine is compromised, each
server could have it’s own realm. Certain mechanisms force the user
(client side) to manually configure what realm they’re in, making it
harder for users to authenticate.</p>
<p>A single site might support multiple different realms.  This can
confuse applications that weren’t written in anticipation of this; make
sure your application can support it before adding users from different
realms into your databases.</p>
<p>To add users of different realms to sasldb, you can use the
<code class="docutils literal"><span class="pre">-u</span></code> option to saslpasswd2.  The SQL plugin has a way of
integrating the realm name into the query string with the ‘%r’ macro.</p>
<p>The Kerberos mechanisms treat the SASL realm as the Kerberos
realm.  Thus, the realm for Kerberos mechanisms defaults to the
default Kerberos realm on the server.  They may support cross-realm
authentication; check your application on how it deals with this.</p>
<p>Realms will be passed to saslauthd as part of the saslauthd protocol,
however the way each saslauthd module deals with the situation is
different (for example, the LDAP plugin allows you to use the realm
to query the server, while the rimap and PAM plugins ignore it entirely).</p>
<p>Realms are represented in a username string by any text followinhg
the ‘&#64;’ sign.  So, usernames like <a class="reference external" href="mailto:rjs3&#37;&#52;&#48;ANDREW&#46;CMU&#46;EDU">rjs3<span>&#64;</span>ANDREW<span>&#46;</span>CMU<span>&#46;</span>EDU</a>, is user ‘rjs3’
in the realm ‘ANDREW.CMU.EDU’.  If no realm is provided, the server’s
FQDN is assumed (likewise when specifying a realm for saslpasswd2).</p>
</div>
</div>
<div class="section" id="how-sasl-works">
<span id="saslhow"></span><h2>How SASL works<a class="headerlink" href="#how-sasl-works" title="Permalink to this headline">¶</a></h2>
<p>How SASL works is governed by what mechanism the client and server
choose to use and the exact implementation of that mechanism.  This
section describes the way these mechanisms act in the Cyrus SASL
implementation.</p>
<div class="section" id="the-plain-mechanism-sasl-checkpass-and-plaintext-passwords">
<h3>The PLAIN mechanism, <code class="docutils literal"><span class="pre">sasl_checkpass()</span></code>, and plaintext passwords<a class="headerlink" href="#the-plain-mechanism-sasl-checkpass-and-plaintext-passwords" title="Permalink to this headline">¶</a></h3>
<p>The PLAIN mechanism is not a secure method of authentication by
itself.  It is intended for connections that are being encrypted by
another level.  (For example, the IMAP command “STARTTLS” creates an
encrypted connection over which PLAIN might be used.) The PLAIN
mechanism works by transmitting a userid, an authentication id, and a
password to the server, and the server then determines whether that is
an allowable triple.</p>
<p>The principal concern for system administrators is how the
authentication identifier and password are verified.  The Cyrus SASL
library is flexible in this regard:</p>
<dl class="docutils">
<dt>auxprop</dt>
<dd><p class="first">checks passwords agains the <code class="docutils literal"><span class="pre">userPassword</span></code> attribute
supplied by an auxiliary property plugin.  For example, SASL ships
with a sasldb auxiliary property plugin, that can be used to
authenticate against the passwords stored in <code class="docutils literal"><span class="pre">/etc/sasldb2</span></code>.</p>
<p class="last">Since other mechanisms also use this database for passwords, using
this method will allow SASL to provide a uniform password database to
a large number of mechanisms.</p>
</dd>
<dt>saslauthd</dt>
<dd><p class="first">contacts the <code class="docutils literal"><span class="pre">saslauthd</span></code> daemon to to check passwords
using a variety of mechanisms.  More information about the various invocations
of saslauthd can be can be found in <code class="docutils literal"><span class="pre">saslauthd(8)</span></code>.  Generally you
want something like <code class="docutils literal"><span class="pre">saslauthd</span> <span class="pre">-a</span> <span class="pre">pam</span></code>.  If plaintext authentications
seem to be taking some time under load, increasing the value of the <code class="docutils literal"><span class="pre">-n</span></code>
parameter can help.</p>
<p>Saslauthd keeps its named socket in “/var/state/saslauthd” by default.
This can be overridden by specifying an alternate value to
–with-saslauthd=/foo/bar at compile time, or by passing the -m
parameter to saslauthd (along with setting the saslauthd_path SASL
option).  Whatever directory this is, it must exist in order for
saslauthd to function.</p>
<p>Once you configure (and start) <code class="docutils literal"><span class="pre">saslauthd</span></code>, there is a
<code class="docutils literal"><span class="pre">testsaslauthd</span></code> program that can be built with <code class="docutils literal"><span class="pre">make</span>
<span class="pre">testsaslauthd</span></code> in the <code class="docutils literal"><span class="pre">saslauthd</span></code> subdirectory of the
source.  This can be used to check that that the <code class="docutils literal"><span class="pre">saslauthd</span></code>
daemon is installed and running properly.  An invocation like
<code class="docutils literal"><span class="pre">testsaslauthd</span> <span class="pre">-u</span> <span class="pre">rjs3</span> <span class="pre">-p</span> <span class="pre">1234</span></code> with appropriate values for the
username and password should do the trick.</p>
<p class="last">If you are using the PAM method to verify passwords with saslauthd, keep in
mind that your PAM configuration will need to be configured for each service
name that is using saslauthd for authentication. Common service names
are <code class="docutils literal"><span class="pre">imap</span></code>, <code class="docutils literal"><span class="pre">sieve</span></code>, and <code class="docutils literal"><span class="pre">smtp</span></code>.</p>
</dd>
<dt>Courier-IMAP authdaemond</dt>
<dd><p class="first">contacts Courier-IMAP’s <code class="docutils literal"><span class="pre">authdaemond</span></code> daemon to check passwords.
This daemon is simliar in functionality to <code class="docutils literal"><span class="pre">saslauthd</span></code>, and is shipped
separately with the <a class="reference external" href="http://www.courier-mta.org">Courier</a> mail server.</p>
<p>Note: this feature is <strong>not</strong> compiled in the library by default, and is
provided for sites with custom/special requirements only (because the
internal authentication protocol its not documented anywhere so it could
change at any time).  We have tested against the authdaemond included with
Courier-IMAP 2.2.1.</p>
<p class="last">To enable <code class="docutils literal"><span class="pre">authdaemond</span></code> support, pass <code class="docutils literal"><span class="pre">--with-authdaemon</span></code> to the
configuration script, set pwcheck_method to <code class="docutils literal"><span class="pre">authdaemond''</span> <span class="pre">and</span> <span class="pre">point</span>
<span class="pre">authdaemond_path</span> <span class="pre">to</span> <span class="pre">``authdaemond</span></code>’s unix socket. Optionally, you can
specify –with-authdaemond=PATH to the configure script so that
authdaemond_path points to a default, static, location.</p>
</dd>
<dt>pwcheck</dt>
<dd>checks passwords with the use of a separate,
helper daemon.  This feature is for backwards-compatibility
only. New installations should use saslauthd.</dd>
<dt>write your own</dt>
<dd><p class="first">Last, but not least, the most flexible method of authentication
for PLAIN is to write your own.  If you do so, any application that
calls the <code class="docutils literal"><span class="pre">sasl_checkpass()</span></code> routine or uses PLAIN will
invoke your code.  The easiest place to modify the plaintext
authentication routines is to modify the routine
<code class="docutils literal"><span class="pre">_sasl_checkpass()</span></code> in the file <code class="docutils literal"><span class="pre">lib/server.c</span></code> to
support a new method, and to add that method to
<code class="docutils literal"><span class="pre">lib/checkpw.c</span></code>.  Be sure to add a prototype in
<code class="docutils literal"><span class="pre">lib/saslint.h</span></code>!</p>
<p class="last">However, the more flexible and preferred method of
adding a routine is to create a new saslauthd mechanism.</p>
</dd>
</dl>
<p>The LOGIN mechanism (not to be confused with IMAP4’s LOGIN command)
is an undocumented, unsupported mechanism.  It’s included in the Cyrus
SASL distribution for the sake of SMTP servers that might want to
interoperate with old clients.  Do not enable this mechanism unless
you know you’re going to need it.  When enabled, it verifies passwords
the same way the PLAIN mechanism does.</p>
</div>
<div class="section" id="shared-secrets-mechanisms">
<h3>Shared secrets mechanisms<a class="headerlink" href="#shared-secrets-mechanisms" title="Permalink to this headline">¶</a></h3>
<p>The Cyrus SASL library also supports some “shared secret”
authentication methods: CRAM-MD5 and its successor DIGEST-MD5.  These
methods rely on the client and the server sharing a “secret”, usually
a password.  The server generates a challenge and the client a
response proving that it knows the shared secret.  This is much more
secure than simply sending the secret over the wire proving that the
client knows it.</p>
<p>There’s a downside: in order to verify such responses, the
server must keep passwords or password equivalents in a database;
if this database is compromised, it is the same as if all the
passwords for the realm are compromised.</p>
<p>Put another way, <em>you cannot use saslauthd with these methods</em>.
If you do not wish to advertise these methods for that reason (i.e. you
are only using saslauthd for password verification), then either remove
the non-plaintext plugins (those other than login and plain) from the
plugin directory, or use the <a class="reference internal" href="options.html#cmdoption-arg-mech-list"><code class="xref std std-option docutils literal"><span class="pre">mech_list</span></code></a> option to disable them.</p>
<p>For simplicity sake, the Cyrus SASL library stores plaintext
passwords only in the <code class="docutils literal"><span class="pre">/etc/sasldb2</span></code> database.  These passwords
are then shared among all mechanisms which choose to use it.
Depending on the exact database method
used (gdbm, ndbm, or db) the file may have different suffixes or may
even have two different files (<code class="docutils literal"><span class="pre">sasldb.dir</span></code> and
<code class="docutils literal"><span class="pre">sasldb.pag</span></code>).  It is also possible for a server to define
it’s own way of storing authentication secrets.  Currently, no
application is known to do this.</p>
<p>The principle problem for a system administrator is to make sure that
sasldb is properly protected. Only the servers that need to read it to
verify passwords should be able to.  If there are any normal shell
users on the system, they must not be able to read it.</p>
<p>This point is important, so we will repeat it: <strong>sasldb stores the
plaintext versions of all of its passwords. If it is compromised so
are all of the passwords that it stores</strong>.</p>
<p>Managing password changes is outside the scope of the library.
However, system administrators should probably make a way of letting
user’s change their passwords available to users.  The
<code class="docutils literal"><span class="pre">saslpasswd2</span></code> utility is provided to change the secrets in
sasldb.  It does not affect PAM, <code class="docutils literal"><span class="pre">/etc/passwd</span></code>, or any other
standard system library; it only affects secrets stored in sasldb.</p>
<p>Finally, system administrators should think if they want to enable
“auto_transition”.  If set, the library will automatically create
secrets in sasldb when a user uses PLAIN to successfully authenticate.
However, this means that the individual servers, such as imapd, need
read/write access to sasldb, not just read access.  By default,
“auto_transition” is set to false; set it to true to enable.  (There’s
no point in enabling this option if “pwcheck_method” is “auxprop”,
and the sasldb plugin is installed, since you’ll be transitioning from
a plaintext store to a plaintext store)</p>
</div>
<div class="section" id="kerberos-mechanisms">
<h3>Kerberos mechanisms<a class="headerlink" href="#kerberos-mechanisms" title="Permalink to this headline">¶</a></h3>
<p>The Cyrus SASL library also comes with two mechanisms that make use of
Kerberos: KERBEROS_V4, which should be able to use any Kerberos v4
implementation, and GSSAPI (tested against MIT Kerberos 5, Heimdal
Kerberos 5 and CyberSafe Kerberos 5).  These mechanisms make use of the kerberos infrastructure
and thus have no password database.</p>
<p>Applications that wish to use a kerberos mechanism will need access
to a service key, stored either in a <a class="reference internal" href="options.html#cmdoption-arg-srvtab"><code class="xref std std-option docutils literal"><span class="pre">srvtab</span></code></a> file (Kerberos 4) or a
<a class="reference internal" href="options.html#cmdoption-arg-keytab"><code class="xref std std-option docutils literal"><span class="pre">keytab</span></code></a> file (Kerberos 5).</p>
<p>The Kerberos 4 <a class="reference internal" href="options.html#cmdoption-arg-srvtab"><code class="xref std std-option docutils literal"><span class="pre">srvtab</span></code></a> file location is configurable; by default it is
<code class="docutils literal"><span class="pre">/etc/srvtab</span></code>, but this is modifiable by the “srvtab” option.
Different SASL applications can use different srvtab files.</p>
<p>A SASL application must be able to read its srvtab or keytab file.</p>
<p>You may want to consult the &lt;a href=”gssapi.html”&gt;GSSAPI Tutorial&lt;/a&gt;.&lt;/p&gt;</p>
</div>
<div class="section" id="the-otp-mechanism">
<h3>The OTP mechanism<a class="headerlink" href="#the-otp-mechanism" title="Permalink to this headline">¶</a></h3>
<p>The Cyrus SASL library also supports the One-Time-Password (OTP)
mechanism.  This mechanism is similar to CRAM-MD5 and DIGEST-MD5 in
that is uses a shared secret and a challenge/response exchange.
However, OTP is more secure than the other shared secret mechanisms in
that the secret is used to generate a sequence of one-time (single
use) passwords which prevents reply attacks, and that secret need
not be stored on the system.  These one-time passwords are stored in the
<code class="docutils literal"><span class="pre">/etc/sasldb2</span></code> database.</p>
<div class="section" id="otp-via-opie">
<h4>OTP via OPIE<a class="headerlink" href="#otp-via-opie" title="Permalink to this headline">¶</a></h4>
<p>For sites with an existing OTP infrastructure using OPIE, Cyrus SASL
can be configured to use OPIE v2.4 instead of using its own database
and server-side routines.</p>
<p>OPIE should be configured with the <code class="docutils literal"><span class="pre">--disable-user-locking</span></code>
option if the SASL server application will not be running as “root”.</p>
<p>OPIE uses its own “opiekeys” database for storing the data necessary
for generating the server challenges.  The location of the <a class="reference internal" href="options.html#cmdoption-arg-opiekeys"><code class="xref std std-option docutils literal"><span class="pre">opiekeys</span></code></a>
file is configurable in SASL; by default it is <code class="docutils literal"><span class="pre">/etc/opiekeys</span></code>,
but this is modifiable by the <a class="reference internal" href="options.html#cmdoption-arg-opiekeys"><code class="xref std std-option docutils literal"><span class="pre">opiekeys</span></code></a> option.</p>
<p>A SASL server application must be able to read and write the
opiekeys file.</p>
</div>
</div>
</div>
<div class="section" id="auxiliary-properties">
<h2>Auxiliary Properties<a class="headerlink" href="#auxiliary-properties" title="Permalink to this headline">¶</a></h2>
<p>SASLv2 introduces the concept of Auxilliary Properties.  That is, the ability
for information related to authentication and authorization to all be looked
up at once from a directory during the authentication process.  SASL Plugins
internally take advantage of this to do password lookups in directories
such as the SASLdb, LDAP or a SQL database.  Applications can look up arbitrary properties through them.</p>
<p>Note that this means that if your password database is in a SASLdb, and
you wish to use it for plaintext password lookups through the sasldb, you
will need to set the sasl <a class="reference internal" href="options.html#cmdoption-arg-pwcheck-method"><code class="xref std std-option docutils literal"><span class="pre">pwcheck_method</span></code></a> to be <code class="docutils literal"><span class="pre">auxprop</span></code>.</p>
</div>
<div class="section" id="how-to-set-configuration-options">
<h2>How to set configuration options<a class="headerlink" href="#how-to-set-configuration-options" title="Permalink to this headline">¶</a></h2>
<p>The Cyrus SASL library comes with a built-in configuration file
reader.  However, it is also possible for applications to redefine
where the library gets it’s configuration options from.</p>
<div class="section" id="the-default-configuration-file">
<span id="saslconf"></span><h3>The default configuration file<a class="headerlink" href="#the-default-configuration-file" title="Permalink to this headline">¶</a></h3>
<p>By default, the Cyrus SASL library reads its options from
<code class="docutils literal"><span class="pre">/usr/lib/sasl2/App.conf</span></code> (where “App” is the application
defined name of the application).  For instance, Sendmail reads its
configuration from <code class="docutils literal"><span class="pre">/usr/lib/sasl2/Sendmail.conf</span></code> and the
sample server application included with the library looks in
<code class="docutils literal"><span class="pre">/usr/lib/sasl2/sample.conf</span></code>.</p>
<p>A standard Cyrus SASL configuration file looks like:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">srvtab</span><span class="p">:</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">app</span><span class="o">/</span><span class="n">srvtab</span>
<span class="n">pwcheck_method</span><span class="p">:</span> <span class="n">saslauthd</span>
</pre></div>
</div>
</div>
<div class="section" id="application-configuration">
<h3>Application configuration<a class="headerlink" href="#application-configuration" title="Permalink to this headline">¶</a></h3>
<p>Applications can redefine how the SASL library looks for configuration
information.  Check your application’s documentation for specifics.</p>
<p>For instance, Cyrus imapd reads its sasl options from its own
configuration file, <code class="docutils literal"><span class="pre">/etc/imapd.conf</span></code>, by prepending all SASL
options with <code class="docutils literal"><span class="pre">sasl_</span></code>: the SASL option “pwcheck_method” is set
by changing “sasl_pwcheck_method” in <code class="docutils literal"><span class="pre">/etc/imapd.conf</span></code>.</p>
</div>
</div>
<div class="section" id="troubleshooting">
<h2>Troubleshooting<a class="headerlink" href="#troubleshooting" title="Permalink to this headline">¶</a></h2>
<dl class="docutils">
<dt>Why doesn’t KERBEROS_V4 doesn’t appear as an available mechanism?</dt>
<dd>Check that the <code class="docutils literal"><span class="pre">srvtab</span></code> file is readable by the
user running as the daemon.  For Cyrus imapd, it must be readable by
the Cyrus user.  By default, the library looks for the srvtab in
<code class="docutils literal"><span class="pre">/etc/srvtab</span></code>, but it’s configurable using the <a class="reference internal" href="options.html#cmdoption-arg-srvtab"><code class="xref std std-option docutils literal"><span class="pre">srvtab</span></code></a>
option.</dd>
<dt>Why doesn’t OTP doesn’t appear as an available mechanism?</dt>
<dd>If using OPIE, check that the <code class="docutils literal"><span class="pre">opiekeys</span></code> file is
readable by the user running the daemon.  For Cyrus imapd, it must
be readable by the Cyrus user.  By default, the library looks for the
opiekeys in <code class="docutils literal"><span class="pre">/etc/opiekeys</span></code>, but it’s configurable using the
<a class="reference internal" href="options.html#cmdoption-arg-opiekeys"><code class="xref std std-option docutils literal"><span class="pre">opiekeys</span></code></a> option.</dd>
<dt>Why don’t CRAM-MD5 and DIGEST-MD5 work with my old sasldb?</dt>
<dd>Because sasldb now stores plaintext passwords only, the old
sasldb is incompatible.</dd>
<dt>I’m having performance problems on each authentication, there is a noticeable slowdown when sasl initializes, what can I do?</dt>
<dd><p class="first">libsasl reads from <code class="docutils literal"><span class="pre">/dev/random</span></code> as part of its
initialization. <code class="docutils literal"><span class="pre">/dev/random</span></code> is a “secure” source of entropy,
and will block your application until a sufficient amount of
randomness has been collected to meet libsasl’s needs.</p>
<p class="last">To improve performance, you can change DEV_RANDOM in
<code class="docutils literal"><span class="pre">config.h</span></code> to be <code class="docutils literal"><span class="pre">/dev/urandom</span></code> and recompile
libsasl. <code class="docutils literal"><span class="pre">/dev/urandom</span></code> offers less secure random numbers but
should return immediately. The included mechanisms, besides OTP and
SRP, use random numbers only to generate nonces, so using
<code class="docutils literal"><span class="pre">/dev/urandom</span></code> is safe if you aren’t using OTP or SRP.</p>
</dd>
<dt>I’ve converted the sasldb database to the new format. Why can’t anybody authenticate?</dt>
<dd><p class="first">sasldb is now a plugin module for the auxprop method.
Make sure you changed the /usr/lib/sasl2/*.conf files to reflect
<code class="docutils literal"><span class="pre">pwcheck_method:</span> <span class="pre">auxprop</span></code></p>
<p class="last">…and if you’re using cyrus-imapd, /etc/imapd.conf must reflect:
<code class="docutils literal"><span class="pre">sasl_pwcheck_method:</span> <span class="pre">auxprop</span></code></p>
</dd>
<dt>Is LOGIN supported?</dt>
<dd>The LOGIN mechanism is a non-standard, undocumented
plaintext mechanism.  It’s included in the SASL distribution purely
for sites that need it to interoperate with old clients; we don’t
support it.  Don’t enable it unless you know you need it.</dd>
<dt>Is NTLM supported?</dt>
<dd>The NTLM mechanism is a non-standard, undocumented
mechanism developed by Microsoft.  It’s included in the SASL
distribution purely for sites that need it to interoperate with
Microsoft clients (ie, Outlook) and/or servers (ie, Exchange); we
don’t support it.  Don’t enable it unless you know you need it.</dd>
<dt>How can I get a non-root application to check plaintext passwords?</dt>
<dd>Use the “saslauthd” daemon and setting “pwcheck_method”
to “saslauthd”.</dd>
<dt>I want to use Berkeley DB, but it’s installed in <code class="docutils literal"><span class="pre">/usr/local/BerkeleyDB.3.1</span></code> and <code class="docutils literal"><span class="pre">configure</span></code> can’t find it.</dt>
<dd><p class="first">Try setting “CPPFLAGS” and “LDFLAGS” environment
variables before running <code class="docutils literal"><span class="pre">configure</span></code>, like so:</p>
<div class="last highlight-default"><div class="highlight"><pre><span></span><span class="n">env</span> <span class="n">CPPFLAGS</span><span class="o">=</span><span class="s2">&quot;-I/usr/local/BerkeleyDB.3.1/include&quot;</span> \
  <span class="n">LDFLAGS</span><span class="o">=</span><span class="s2">&quot;-L/usr/local/BerkeleyDB.3.1/lib -R/usr/local/BerkeleyDB.3.1/lib&quot;</span> \
  <span class="o">./</span><span class="n">configure</span> <span class="o">--</span><span class="k">with</span><span class="o">-</span><span class="n">dblib</span><span class="o">=</span><span class="n">berkeley</span>
</pre></div>
</div>
</dd>
<dt>It’s not working and won’t tell me why! Help!</dt>
<dd><p class="first">Check syslog output (usually stored in
<code class="docutils literal"><span class="pre">/var/log</span></code>) for more information. You might want to change your
syslog configuration (usually <code class="docutils literal"><span class="pre">/etc/syslogd.conf</span></code>) to log
“*.debug” to a file while debugging a problem.</p>
<p class="last">The developers make heavy use of <code class="docutils literal"><span class="pre">strace</span></code> or <code class="docutils literal"><span class="pre">truss</span></code>
when debugging a problem that isn’t outputting any useful
information.</p>
</dd>
<dt>Is there a mailing list to discuss the Cyrus SASL library?</dt>
<dd>Check out our <a class="reference external" href="https://www.cyrusimap.org/contribute.html#contribute" title="(in Cyrus IMAP v3.0.8)"><span class="xref std std-ref">contribution</span></a> page for ways to get in touch
with us, including mailing lists and IRC.</dd>
</dl>
</div>
</div>


          </div>
          <footer>
  
    <div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
      
        <a href="manpages.html" class="btn btn-neutral float-right" title="Man pages" accesskey="n">Next <span class="fa fa-arrow-circle-right"></span></a>
      
      
        <a href="../operations.html" class="btn btn-neutral" title="Operations" accesskey="p"><span class="fa fa-arrow-circle-left"></span> Previous</a>
      
    </div>
  

  <hr/>

  <div role="contentinfo">
    <p>
        &copy; Copyright 1993-2016, The Cyrus Team.
    </p>
  </div>
  Built with <a href="http://sphinx-doc.org/">Sphinx</a> 1.6.6 using a modified <a href="https://readthedocs.org">Read the Docs</a> <a href="https://github.com/snide/sphinx_rtd_theme">theme</a>.

</footer>

        </div>
      </div>

    </section>

  </div>
  


  

    <script type="text/javascript">
        var DOCUMENTATION_OPTIONS = {
            URL_ROOT:'../',
            VERSION:'2.1.27',
            COLLAPSE_INDEX:false,
            FILE_SUFFIX:'.html',
            HAS_SOURCE:  true
        };
    </script>
      <script type="text/javascript" src="../_static/jquery.js"></script>
      <script type="text/javascript" src="../_static/underscore.js"></script>
      <script type="text/javascript" src="../_static/doctools.js"></script>
      <script type="text/javascript" src="https://cdn.mathjax.org/mathjax/latest/MathJax.js"></script>

  

  
  
    <script type="text/javascript" src="../_static/js/theme.js"></script>
  

  
  
  <script type="text/javascript">
<!--      jQuery(function () {
          SphinxRtdTheme.StickyNav.enable();
      }); -->
  </script>
  
 



</body>
</html>