Cyrus SASL saslauthd.conf man page

Abstract

Description This document describes LDAP configuration options for the Cyrus SASL password verification service saslauthd. By default saslauthd searches for LDAP configuration options in /usr/local/etc/saslauthd.conf. This location can be overridden if the additional command line option -O specifies an alternative path to the configuration file. Syntax Do not use quotes...

Description

This document describes LDAP configuration options for the Cyrus SASL password verification service saslauthd.

By default saslauthd searches for LDAP configuration options in /usr/local/etc/saslauthd.conf. This location can be overridden if the additional command line option -O specifies an alternative path to the configuration file.

Syntax

Do not use quotes (\"\') in the parameter values.

Options

The following are available LDAP parameters. The defaults are probably adequate for most installations. Only ldap_servers may need to be specified.

ldap_auth_method (default: bind|fastbind)

The bind method uses the LDAP bind facility to verify the password. The bind method is not available when ldap_use_sasl is turned on. In that case saslauthd will use fastbind.

bind
bind is the default auth method. When ldap_use_sasl is enabled, 'fastbind' is the default.
custom
The custom method uses userPassword attribute to verify the password. Supported hashes: crypt, md5, smd5, sha and ssha. Cleartext is supported as well.
fastbind

The fastbind method - when ldap_use_sasl is no - does away with the search and an extra anonymous bind in auth_bind, but makes two assumptions:

  1. Expanding the ldap_filter expression gives the user's fully-qualified DN
  2. There is no cost to staying bound as a named user
ldap_bind_dn (default: empty)

Specify DN (distinguished name) to bind to the LDAP directory.

Important

Do not specify this parameter for the anonymous bind!

ldap_bind_pw (default: empty)
An alias for ldap_password.
ldap_default_domain (default: empty)
An alias for ldap_default_realm.
ldap_default_realm (default: empty)
The default realm is assigned to the %r token when realm is not available. See ldap_filter for more.
ldap_deref (default: empty)
Specify how aliases dereferencing is handled during search. Should be one of never, always, search, or find to specify that aliases are never dereferenced, always dereferenced, dereferenced when searching, or dereferenced only when locating the base object for the search.
ldap_filter (default: uid=%u)

Specify a filter. The following tokens can be used in the filter string:

%%
This is replaced by a literal ’%’ character.
%u
%u is replaced by the complete user string.
%U
If the string is an address (%u), %U will be replaced by the local part of that address.
%d
If the string is an address (%u), %d will be replaced by the domain part of that address. Otherwise it will be the same as %r.
%1-9
If the input key is user@mail.example.com, then %1 is com, %2 is example and %3 is mail.
%s
%s is replaced by the complete service string.
%r
%r is replaced by the complete realm string.
%D
%D is replaced by the complete user DN (available for group checks)

The %u token has to be used at minimum for the filter to be useful. If ldap_auth_method is bind, the filter will search for the DN (distinguished name) attribute. Otherwise, the search will look for the ldap_password_attr attribute.

ldap_group_attr (default: uniqueMember)
Specify what attribute to compare the user DN against in the group. If ldap_group_dn is not specified, this parameter is ignored. If ldap_group_match_method is not attr, this parameter is ignored.
ldap_group_dn (default: empty)
If specified, the user has to be part of the group in order to authenticate successfully. Tokens described in ldap_filter can be used for substitution.
ldap_group_filter (default: empty)
Specify a filter. If a filter match is found then the user is in the group. Tokens described in ldap_filter can be used for for substitution. If ldap_group_dn is not specified, this parameter is ignored. If ldap_group_match_method is not filter, this parameter is ignored.
ldap_group_match_method (default: attr)
If attr is used the group match method uses ldap_group_attr and if filter is used ldap_group_search will be used as group match method. If ldap_group_dn is not specified, this parameter is ignored.
ldap_group_search_base (default: ldap_search_base)
Specify a starting point for the group search: e.g. dc=example,dc=com. Tokens described in ldap_filter can be used for substitution.
ldap_group_scope (default: sub)
Group search scope. Options are either sub, one or base.
ldap_password (default: empty)
Specify the password for ldap_bind_dn or ldap_id if ldap_use_sasl is turned on. Do not specify this parameter for the anonymous bind.
ldap_password_attr (default: userPassword)
Specify what password attribute to use for password verification.
ldap_referrals (default: no)
Specify whether or not the client should follow referrals.
ldap_restart (default: yes)
Specify whether or not LDAP I/O operations are automatically restarted if they abort prematurely.
ldap_id (default: empty)
Specify the authentication ID for SASL bind.
ldap_authz_id (default: empty)
Specify the proxy authorization ID for SASL bind.
ldap_mech (default: empty)
Specify the authentication mechanism for SASL bind.
ldap_realm (default: empty)
Specify the realm of authentication ID for SASL bind.
ldap_scope (default: sub)
Search scope. Options are either sub, one or base.
ldap_search_base (default: empty)
Specify a starting point for the search: e.g. dc=example,dc=com. Tokens described in ldap_filter can be used for substitution.
ldap_servers (default: ldap://localhost/)
Specify one or more URI(s) referring to LDAP server(s), e.g. ldaps://10.1.1.2:999/. Multiple servers must be separated by space.
ldap_start_tls (default: no)
Use StartTLS extended operation. Do not use ldaps: ldap_servers when this option is turned on.
ldap_time_limit (default: 5)
Specify a number of seconds for a search request to complete.
ldap_timeout (default: 5)
Specify a number of seconds a search can take before timing out.
ldap_tls_check_peer (default: no)
Require and verify server certificate. If this option is yes, you must specify ldap_tls_cacert_file or ldap_tls_cacert_dir.
ldap_tls_cacert_file (default: empty)
File containing CA (Certificate Authority) certificate(s).
ldap_tls_cacert_dir (default: empty)
Path to directory with CA (Certificate Authority) certificates.
ldap_tls_ciphers (default: DEFAULT)
List of SSL/TLS ciphers to allow. See ciphers 1 for a list of all permitted cipher strings and their meanings.
ldap_tls_cert (default: empty)
File containing the client certificate.
ldap_tls_key (default: empty)
File containing the private client key.
ldap_use_sasl (default: no)
Use SASL bind instead of simple bind when connecting to the LDAP server.
ldap_version (default: 3)
Specify the LDAP protocol version - either 2 or 3. If ldap_start_tls and/or ldap_use_sasl are enabled, ldap_version will be automatically set to 3.

Example

The following example configures saslauthd to use an LDAP server as authentication backend and read the configuration from /etc/saslauthd.conf:

$ saslauthd -a ldap -O /etc/saslauthd.conf

The configuration file read by saslauthd:

# Servers
ldap_servers: ldap://localhost/

# Identity
ldap_bind_dn: uid=sasl,ou=services,dc=example,dc=com
ldap_password: secret
ldap_auth_method: bind

# Search
ldap_search_base: ou=people,dc=example,dc=com
Patrick Koetter, 07. January 2015