FreeBSD + Cyrus SASL
====================

Shanker Balan
http://shankerbalan.com/

Changelog:

* Wed Sep 10 12:24:35 IST 2003
- Added GSSAPI and pkgtools.conf
* Thu Sep  4 17:14:51 IST 2003
- Added LDAP section
* Wed Sep  3 17:18:02 IST 2003
- Initial doc, before I forget

Cyrus SASL is a method for adding authentication mechanisms for connection
based protocols. It is most commonly used for providing SMTP Authentication in
MTAs (Postfix, Sendmail etc) and also used as the authentication subsystem by
the Cyrus mail suite.

Package Versions:

[godzilla] ~> uname -a
FreeBSD godzilla.domain.com 5.1-CURRENT FreeBSD 5.1-CURRENT #0: Mon Aug 25 13:13:16 IST 2003     root@godzilla.domain.com:/usr/obj/usr/src/sys/MYKERNEL  i386

cyrus-sasl-2.1.15
cyrus-sasl-saslauthd-2.1.15_1

Install via "portinstall"

[godzilla] ~# portinstall security/cyrus-sasl2
[godzilla] ~# portinstall security/cyrus-sasl2-saslauthd

###
### pkgtools.conf
###
MAKE_ARGS = {
      'security/cyrus-sasl2' => 'WITH_BDB_VER=41 WITH_MYSQL=yes WITH_DEV_URANDOM=yes MAKE_KERBEROS5=yes',
}

##
## rc.conf (See /usr/local/etc/rc.d/saslauthd.sh)
##
sasl_saslauthd_enable="YES"
sasl_saslauthd_flags="-a sasldb"

# start saslauthd
[godzilla] ~# /usr/local/etc/rc.d/saslauthd.sh start
saslauthd
[godzilla] ~# ps ax|grep saslauthd
 5835  ??  Ss     0:00.00 /usr/local/sbin/saslauthd -a sasldb
 5836  ??  S      0:00.00 /usr/local/sbin/saslauthd -a sasldb
 5837  ??  S      0:00.00 /usr/local/sbin/saslauthd -a sasldb
 5838  ??  S      0:00.00 /usr/local/sbin/saslauthd -a sasldb
 5839  ??  S      0:00.00 /usr/local/sbin/saslauthd -a sasldb

Sasldb User Management
======================

Use "saslpasswd2" and "sasldblistusers2"

[godzilla] ~# saslpasswd2 -c cyrus
Password: ******
Again (for verification): ******

[godzilla] ~# sasldblistusers2
cyrus@godzilla.domain.com: userPassword

LDAP Authentication
===================

###
### /usr/local/etc/saslauthd.conf
###
ldap_servers: ldap://ldap.domain.com/
ldap_version: 3
ldap_search_base: ou=people,dc=domain,dc=com
ldap_auth_method: bind

##
## rc.conf
##
sasl_saslauthd_enable="YES"
sasl_saslauthd_flags="-a ldap"

See /usr/local/share/doc/cyrus-sasl2/saslauthd/LDAP_SASLAUTHD and saslauthd(8)

Testing Authentication
======================

Hmm.. where did the sample "client" and "server" go??? I think its not
installed by default.

Notes:

- If you are not using "saslauthd" to handle the authentication part, then
  sasldb2 must be readable by the process performing the authentication. For
  example, if you have configured Postfix to use "sasldb" as the authenticaion
  method via "smtpd.conf" instead of "saslauthd", sasldb2 must be readable by
  user/group "mail".
- The application has to be linked against cyrus-sasl2 libraries and not
  against the older cyrus-sasl-1.x libs. Applications which use the older
  libraries will use "sasldb" and not "sasldb2".

ToDo:

- Document the usage of the sample SASL client/server for testing