1SASLAUTHD(8) BSD System Manager's Manual SASLAUTHD(8)
2
4 saslauthd — sasl authentication server
5
7 saslauthd -a authmech [-Tvdchlr] [-O option] [-m mux_path] [-n threads]
8 [-s size] [-t timeout]
9
11 saslauthd is a daemon process that handles plaintext authentication
12 requests on behalf of the SASL library.
13 The server fulfills two roles: it isolates all code requiring superuser
15 privileges into a single process, and it can be used to provide proxy
16 authentication services to clients that do not understand SASL based
17 authentication.
18 saslauthd should be started from the system boot scripts when going to
20 multi-user mode. When running against a protected authentication database
21 (e.g. the shadow mechanism), it must be run as the superuser. Otherwise
22 it is recommended to run daemon unprivileged as saslauth:saslauth. You
23 can do so by following these steps:
24 1. create directory /etc/systemd/system/saslauthd.service.d/
25 2. create file /etc/systemd/system/saslauthd.service.d/user.conf with
26 content
27 [Service]
29 User=saslauth
30 Group=saslauth
31 3. Reload systemd service file: run “systemctl daemon-reload”
33 Options
35 Options named by lower-case letters configure the server itself.
36 Upper-case options control the behavior of specific authentication mecha‐
37 nisms; their applicability to a particular authentication mechanism is
38 described in the AUTHENTICATION MECHANISMS section.
39 -a authmech
41 Use authmech as the authentication mechanism. (See the
42 AUTHENTICATION MECHANISMS section below.) This parameter is
43 mandatory.
44 -O option
46 A mechanism specific option (e.g. rimap hostname or config file
47 path)
48 -H hostname
50 The remote host to be contacted by the rimap authentication mech‐
51 anism. (Deprecated, use -O instead)
52 -m path
54 Use path as the pathname to the named socket to listen on for
55 connection requests. This must be an absolute pathname, and MUST
56 NOT include the trailing "/mux". Note that the default for this
57 value is "/var/state/saslauthd" (or what was specified at compile
58 time) and that this directory must exist for saslauthd to func‐
59 tion.
60 -n threads
62 Use threads processes for responding to authentication queries.
63 (default: 5) A value of zero will indicate that saslauthd should
64 fork an individual process for each connection. This can solve
65 leaks that occur in some deployments.
66 -s size
68 Use size as the table size of the hash table (in kilobytes)
69 -t timeout
71 Use timeout as the expiration time of the authentication cache
72 (in seconds)
73 -T Honour time-of-day login restrictions.
75 -h Show usage information
77 -c Enable caching of authentication credentials
79 -l Disable the use of a lock file for controlling access to
81 accept().
82 -r Combine the realm with the login (with an '@' sign in between).
84 e.g. login: "foo" realm: "bar" will get passed as login:
85 "foo@bar". Note that the realm will still be passed, which may
86 lead to unexpected behavior for authentication mechanisms that
87 make use of the realm, however for mechanisms which don't, such
88 as getpwent, this is the only way to authenticate domain-specific
89 users sharing the same userid.
90 -v Print the version number and available authentication mechanisms
92 on standard error, then exit.
93 -d Debugging mode.
95 Logging
97 saslauthd logs its activities via syslogd using the LOG_AUTH facility.
98
100 saslauthd supports one or more "authentication mechanisms", dependent
101 upon the facilities provided by the underlying operating system. The
102 mechanism is selected by the -a flag from the following list of choices:
103 dce (AIX)
105 Authenticate using the DCE authentication environment.
107 getpwent (All platforms)
109 Authenticate using the getpwent() library function. Typically
111 this authenticates against the local password file. See your
112 system's getpwent(3) man page for details.
113 kerberos4 (All platforms)
115 Authenticate against the local Kerberos 4 realm. (See the
117 NOTES section for caveats about this driver.)
118 kerberos5 (All platforms)
120 Authenticate against the local Kerberos 5 realm.
122 pam (Linux, Solaris)
124 Authenticate using Pluggable Authentication Modules (PAM).
126 rimap (All platforms)
128 Forward authentication requests to a remote IMAP server. This
130 driver connects to a remote IMAP server, specified using the
131 -O flag, and attempts to login (via an IMAP ‘LOGIN’ command)
132 using the credentials supplied to the local server. If the
133 remote authentication succeeds the local connection is also
134 considered to be authenticated. The remote connection is
135 closed as soon as the tagged response from the ‘LOGIN’ command
136 is received from the remote server.
137 The option parameter to the -O flag describes the remote
139 server to forward authentication requests to. hostname can be
140 a hostname (imap.example.com) or a dotted-quad IP address
141 (192.168.0.1). The latter is useful if the remote server is
142 multi-homed and has network interfaces that are unreachable
143 from the local IMAP server. The remote host is contacted on
144 the ‘imap’ service port. A non-default port can be specified
145 by appending a slash and the port name or number to the
146 hostname argument.
147 The -O flag and argument are mandatory when using the rimap
149 mechanism.
150 shadow (AIX, Irix, Linux, Solaris)
152 Authenticate against the local "shadow password file". The
154 exact mechanism is system dependent. saslauthd currently
155 understands the getspnam() and getuserpw() library routines.
156 Some systems honour the -T flag.
157 sasldb (All platforms)
159 Authenticate against the SASL authentication database. Note
161 that this is probably not what you want to use, and is even
162 disabled at compile-time by default. If you want to use
163 sasldb with the SASL library, you probably want to use the
164 pwcheck_method of "auxprop" along with the sasldb auxprop
165 plugin instead.
166 ldap (All platforms that support OpenLDAP 2.0 or higher)
168 Authenticate against an ldap server. The ldap configuration
170 parameters are read from /etc/saslauthd.conf. The location of
171 this file can be changed with the -O parameter. See the
172 LDAP_SASLAUTHD file included with the distribution for the
173 list of available parameters.
174 sia (Digital UNIX)
176 Authenticate using the Digital UNIX Security Integration
178 Architecture (a.k.a. "enhanced security").
179
181 The kerberos4 authentication driver consumes considerable resources. To
182 perform an authentication it must obtain a ticket granting ticket from
183 the TGT server on every authentication request. The Kerberos library rou‐
184 tines that obtain the TGT also create a local ticket file, on the reason‐
185 able assumption that you will want to save the TGT for use by other Ker‐
186 beros applications. These ticket files are unusable by saslauthd , how‐
187 ever there is no way not to create them. The overhead of creating and
188 removing these ticket files can cause serious performance degradation on
189 busy servers. (Kerberos was never intended to be used in this manner,
190 anyway.)
191
193 /run/saslauthd/mux The default communications socket.
194 /etc/saslauthd.conf
196 The default configuration file for ldap support.
197
199 passwd(1), getpwent(3), getspnam(3), getuserpw(3), sasl_checkpass(3)
200 sia_authenticate_user(3),
201CMU-SASL 12 12 2005 CMU-SASL