SASL Pwcheck¶
Auxprop¶
Auxprop-hashed¶
Saslauthd¶
What is saslauthd? saslauthd is a daemon which validates
ldap_servers
- ldap://localhost
Specify a space separated list of LDAP server URIs of the form ldap[si]://[name[:port]]. See the
ldap.conf
URI option for formatting details.
ldap_bind_dn
- none
When simple authentication is desired, specify a distinguished name to use for a simple authenticated bind or a simple unauthenticated bind. Do not specify if an anonymous bind is desired. This option is ignored when the evaluated
ldap_auth_method
isfastbind
.
ldap_bind_pw
- none
ldap_bind_pw
is an alias forldap_password
.
ldap_password
- none
When simple authentication is desired, specify a password to perform an authenticated bind, or do not specify for an unauthenticated or anonymous bind. When SASL authentication is desired, specify a password to use where required by the underlying SASL mechanism. This option is ignored when the evaluated
ldap_auth_method
isfastbind
.
ldap_version
- 3
Defaults to version 3. If
ldap_use_sasl
orldap_start_tls
are enabled, this option will be ignored, and will conform to the default value. Version 3 is compatible with anonymous binds, simple authenticated binds and simple unauthenticated binds. Version 2 should only be necessary where required by the server.
ldap_search_base
- none
When
ldap_auth_method
is evaluated as bind,ldap_search_base
will be used to search for the user’s distinguished name. Whenldap_auth_method
is custom,ldap_search_base
will be used to find the user’sldap_password_attr
attribute. Whenldap_auth_method
is evaluated as fastbind,ldap_search_base
is ignored. Ifldap_search_base
contains substitution tokens, they will be replaced as specified in theldap_filter
token expansion rules.
ldap_filter
- uid=%u
When
ldap_auth_method
is evaluated as bind,ldap_filter
will be used to search for the user’s distinguished name. Whenldap_auth_method
is custom,ldap_filter
will become, after token expansion, the user’s distinguished name. Whenldap_auth_method
is evaluated as fastbind,ldap_filter
is ignored.The following tokens, when contained within the
ldap_filter
option, will be substituted with the specified values:
%%
is replaced with a literal %.
%u
is replaced with the userid to be authenticated.
%U
is replaced by the portion of the userid before the first @ character. If an @ character does not exist in the userid, then
%U
would function identically to%u
. For example, if the userid to be authenticated is jsmith@example.org,%u
would be replaced by jsmith@example.org and%U
would be replaced by jsmith.
%d
is replaced by the portion of the userid after the first @ character. If an @ character does not exist in the userid,
%d
will be replaced by therealm
value passed tosaslauthd
. If norealm
value was passed to saslauthd,%d
will be replaced by the configuredldap_default_realm
, or by an empty string ifldap_default_realm
is not configured.
%1-9
Within a userid which contains an @ character, followed by a domain name,
%1
will be replaced by the top level domain,%2
will be replaced by the secondary domain,%3
will be replaced by the tertiary domain, up to and including%9
which would be replaced by the ninth level domain. If no @ character exists in the userid, or if there is no domain name after the @ character, or if the specified hierarchical domain level does not exist, the option is replaced by therealm
value passed tosaslauthd
. Should norealm
value exist in those scenarios, the option is replaced by the configuredldap_default_realm
, or by an empty string ifldap_default_realm
has not been configured.For example, if the userid to be authenticated is jsmith@example.org,
%1
would be replaced by org and%2
would be replaced by example.
%s
is replaced by the
service
option passed tosaslauthd
, or by an empty string if noservice
option was passed.
%r
is replaced by the
realm
option passed tosaslauthd
. If norealm
value was passed to saslauthd,%r
will be replaced by the configuredldap_default_realm
, or by an empty string ifldap_default_realm
is not configured.
ldap_password_attr
- userPassword
When
ldap_auth_method
is evaluated as custom,ldap_password_attr
specifies an attribute that will be requested and retrived. If successfully retrived, the authentication request will succeed if theldap_password_attr
attribute contains a supported password hash, and if the user submitted password matches the hash. Whenldap_auth_method
is bind or fastbind,ldap_password_attr
is ignored.
ldap_group_dn
- none
If
ldap_group_dn
is specified, group authorization must also succeed (in addition to the prior authentication step), for the user’s authentication attempt to be successful. Ifldap_group_dn
contains substitution tokens, they will be replaced as specified in theldap_filter
token expansion rules. One additional token substitution is applicable toldap_group_dn
:
%D
is replaced by the distinguished name that was specified, or evaluated, in the authentication step. If
ldap_use_sasl
is enabled, the distinguished name will be resolved by performing an ldapwhoami extended operation after a successful authentication. Ifldap_group_dn
is specified andldap_use_sasl
is enabled, but the ldap server does not support the ldapwhoami extended operation, or if the ldapwhoami extended operation fails, then the user’s authentication attempt is unsuccessful.
ldap_group_attr
- uniqueMember
ldap_group_attr
is ignored unlessldap_group_dn
is also specified andldap_group_match_method
is attr.ldap_group_attr
specifies an attribute which contains the authenticating identity’s dinstinguished name. See theldap_group_match_method
entry for additional details.
ldap_group_filter
- none
ldap_group_search_base
- defaults to the evaluated ldap_search_base
ldap_group_scope
- sub
ldap_group_match_method
- attr
ldap_default_realm
- none
ldap_default_domain
- none
ldap_default_domain
is an alias forldap_default_realm
.
ldap_auth_method
- bind
ldap_timeout
- 5
ldap_size_limit
- 1
ldap_time_limit
- 5
ldap_deref
- never
ldap_referrals
- no
ldap_restart
- yes
ldap_scope
- sub
ldap_use_sasl
- no
ldap_id
- none
ldap_sasl_authc_id
- none
ldap_authz_id
- none
Does not make any sense to supply an authz identity when performing sasl/fastbind.
ldap_sasl_authz_id
- none
ldap_sasl_authz_id
is an alias forldap_authz_id
.
ldap_realm
- none
ldap_sasl_realm
-
ldap_mech
-
It doesn’t make any sense to use a mech that does not require an authname and password, when using fastbind.
ldap_sasl_mech
-
ldap_sasl_secprops
-
ldap_start_tls
-
ldap_tls_check_peer
-
ldap_tls_cacert_file
-
ldap_tls_cacert_dir
-
ldap_tls_ciphers
-
ldap_tls_cert
-
ldap_tls_key
-
ldap_debug
-