Options for Cyrus SASL

This document contains information on what options are used by the Cyrus SASL library and bundled mechanisms:

Option	Used By	Description	Default
auto_transition	SASL Library	When set to 'yes' and when using the sasldb auxprop plugin, automatically transition users to other mechs when they do a successful plaintext authentication	no
auxprop_plugin	Auxiliary Property Plugin	Name of auxiliary plugin to use, you may specify a space-separated list of plugin names, and the plugins will be queried in order	(null) - querys all plugins
canon_user_plugin	SASL Library	Name of canon_user plugin to use	INTERNAL
keytab	GSSAPI	Location of keytab file	`/etc/krb5.keytab` (system dependant)
mech_list	SASL Library	Whitespace separated list of mechanisms to allow (e.g. 'plain otp'). Used to restrict the mechanisms to a subset of the installed plugins.	all available
opiekeys	OTP (with OPIE)	Location of the opiekeys file	`/etc/opiekeys`
otp_mda	OTP (w/o OPIE)	Message digest algorithm for one-time passwords, used by sasl_setpass (possible values: 'md4', 'md5', 'sha1')	`md5`
plugin_list	SASL Library	Location of Plugin list (Unsupported)	none
pwcheck_method	SASL Library	Whitespace separated list of mechanisms used to verify passwords, used by sasl_checkpass (possible values: 'auxprop', 'pwcheck', 'saslauthd', 'alwaystrue')	auxprop
reauth_timeout	DIGEST-MD5	Length in time (in minutes) that authentication info will be cached for a fast reauth. A value of 0 will disable reauth.	0
saslauthd_path	SASL Library	Path to saslauthd run directory (including the "/mux" named pipe)	system dependant
sasldb_path	sasldb plugin	Path to sasldb file	`/etc/sasldb2` (system dependant)
srp_mda	SRP	Message digest algorithm for SRP calculations (possible values: 'md5', 'sha1', 'rmd160')	`sha1`
srvtab	KERBEROS_V4	Location of the srvtab file	`/etc/srvtab` (system dependant)

Mysql auxprop options

mysql_user: username to login as to the MySQL server
mysql_passwd: password to use
mysql_hostnames: comma separated host list
mysql_database: database to connect to
mysql_statement: select statement to use
mysql_verbose: if set, the plugin will print select statement to syslog)

The select statement used in the option mysql_statement is parsed for 3 place holders %u, %r, and %p they are replaced with username, realm, and property requested respectively. For example:

    mysql_statement: select %p from user_table where username = '%u' and realm = '%r'

would send the following statement to MySQL for user "bovik" and the default realm for the machine "madoka.surf.org.uk":

     select userPassword from user_table where username = 'bovik' and realm = 'madoka.surf.org.uk'

DO NOT put quotes around the statement but do around the arguments %r, %u, etc.

%u: the username the user logged in as
%p: the property requested this could technically be anything but sasl authentication will try userPassword and cmusaslsecretMECHNAME (where MECHNAME is the name of a mechanism).
%r: the realm which could be the kerbros realm, the FQDN of the computer the sasl app is on or what ever is after the @ on a username. (read the realm documentation)

All substitutions do not have to be used. For instance, "select password from auth where username = '%u'" is a valid value for "mysql_statement".

Back to the index