Re: saslauthd and multiple mechs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


The the best of my knowledge it is not supported. I wrote some patches against cyrus-sasl-2.1.19 earlier in the year which I am using to allow 2 mechs. The patches are a bit messy because I did not want to change too much core stuff.

It would not be too difficult to make the support a lot better.

My command line looks like this:
/usr/sbin/saslauthd -m /var/run/saslauthd -O /etc/saslauthd.conf -a ldap -V -O /etc/saslauthd-httpform.conf -a httpform

The return value of the second mech is not currently used but that is easy to change. I use the httpform as a way of synchronising passwords to other systems. For a generic solution some syntax regarding what to do on success or failure would need to be developed.

My patches also allow per realm configuration for the ldap mech and fixes some bugs in the httpform mech.

If you want the patches, let me know.


Mike Culbertson wrote:
I'm not sure we're talking about the same thing.  I'm actually asking
about the auth mechanisms used by saslauthd, that are specified on
the command line when you run the daemon such as getpwent, kerberos5,
pam, ldap, etc.  i.e.:

/usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 5

Based on the man page, it sounds like you would be able to do
something like this to auth off of multiple backend sources:

/usr/sbin/saslauthd -a kerberos5 -a ldap  -c -m /var/run/saslauthd -n

But neither that nor any other style of arguments work to specify
multiple mechs.  I think this is a simple miswording in the man page,
but it warrants clarification.

In my case, we fell back to using 'pam' and handling multiple auth
backends with pam modules.  It would certainly be nicer if saslauthd
could do this without PAM though.


On Jun 16, 2010, at 4:03 PM, Henry B. Hotz wrote:

If you go back a few years there's an exchange between Simon
Wilkinson and me where he describes how to do it.  Basically you
get the server's list of available mech's, try to connect, if it
fails then you erase the chosen (failed) mech from the list and
start over.  You stop on success or when the error returned is no
available mechs.  This is programmatically more complex than the
published sample code.

The opposing viewpoint (from Ken Hornstein, who also deserves
respect) is that it makes everything more complex and less
reliable, and you're better off just picking a single one for any
given specific usage of SASL, even if your server supports more
than one.

On Jun 16, 2010, at 2:24 PM, Mike Culbertson wrote:

I'm aware that this has come up before (
 but (on Debian) the manpage for saslauthd states:

saslauthd supports one or more "authentication mechanisms"

so it's not entirely clear what the correct answer is.  Is there
any way at all to use multiple auth mechs, aside from doing it
through PAM?


- Mike
------------------------------------------------------ The opinions
expressed in this message are mine, not those of Caltech, JPL,
NASA, or the US Government. Henry.B.Hotz@xxxxxxxxxxxx, or

John Newbigin
ITS Senior Analyst / Programmer
Faculty of Information and Communication Technologies
Swinburne University of Technology
Melbourne, Australia

[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux