<HTML><HEAD> <title>Options for Cyrus SASL</title> <!-- $Id: options.html,v 1.13 2002/12/09 22:20:05 rjs3 Exp $ --> </HEAD> <BODY> <h1>Options for Cyrus SASL</h1> <p>This document contains information on what options are used by the Cyrus SASL library and bundled mechanisms:</p> <TABLE BORDER WIDTH=95%> <TR><TH>Option</TH><TH>Used By</TH><TH>Description</TH><TH>Default</TH></TR> <TR> <TD>auto_transition</TD><TD>SASL Library</TD> <TD>When set to 'yes' and when using the sasldb auxprop plugin, automatically transition users to other mechs when they do a successful plaintext authentication</TD><TD>no</TD> </TR> <TR> <TD>auxprop_plugin</TD><TD>Auxiliary Property Plugin</TD> <TD>Name of auxiliary plugin to use, you may specify a space-separated list of plugin names, and the plugins will be queried in order</TD> <TD>(null) - querys all plugins</TD> </TR> <TR> <TD>canon_user_plugin</TD><TD>SASL Library</TD> <TD>Name of canon_user plugin to use</TD><TD>INTERNAL</TD> </TR> <TR> <TD>keytab</TD><TD>GSSAPI</TD> <TD>Location of keytab file</TD><TD><tt>/etc/krb5.keytab</tt> (system dependant)</TD> </TR> <TR> <TD>mech_list</TD><TD>SASL Library</TD> <TD>Whitespace separated list of mechanisms to allow (e.g. 'plain otp'). Used to restrict the mechanisms to a subset of the installed plugins.</TD><TD>all available</TD> </TR> <TR> <TD>opiekeys</TD><TD>OTP (with OPIE)</TD> <TD>Location of the opiekeys file</TD><TD><tt>/etc/opiekeys</tt></TD> </TR> <TR> <TD>otp_mda</TD><TD>OTP (w/o OPIE)</TD> <TD>Message digest algorithm for one-time passwords, used by sasl_setpass (possible values: 'md4', 'md5', 'sha1')</TD><TD><tt>md5</tt></TD> </TR> <TR> <TD>plugin_list</TD><TD>SASL Library</TD> <TD>Location of Plugin list (Unsupported)</TD><TD><i>none</i></TD> </TR> <TR> <TD>pwcheck_method</TD><TD>SASL Library</TD> <TD>Whitespace separated list of mechanisms used to verify passwords, used by sasl_checkpass (possible values: 'auxprop', 'pwcheck', 'saslauthd', 'alwaystrue')</TD><TD>auxprop</TD> </TR> <TR> <TD>reauth_timeout</TD><TD>DIGEST-MD5</TD> <TD>Length in time (in minutes) that authentication info will be cached for a fast reauth. A value of 0 will disable reauth.</TD> <TD>0</TD> </TR> <TR> <TD>saslauthd_path</TD><TD>SASL Library</TD> <TD>Path to saslauthd run directory (<b>including</b> the "/mux" named pipe)</TD> <TD>system dependant</TD> </TR> <TR> <TD>sasldb_path</TD><TD>sasldb plugin</TD> <TD>Path to sasldb file</TD><TD><tt>/etc/sasldb2</tt> (system dependant)</TD> <TR> <TD>srp_mda</TD><TD>SRP</TD> <TD>Message digest algorithm for SRP calculations (possible values: 'md5', 'sha1', 'rmd160')</TD><TD><tt>sha1</tt></TD> </TR> <TD>srvtab</TD><TD>KERBEROS_V4</TD> <TD>Location of the srvtab file</TD><TD><tt>/etc/srvtab</tt> (system dependant)</TD> </TR> </TABLE> <h2>Mysql auxprop options</h2> <DL compact> <DT>mysql_user <DD>username to login as to the MySQL server <DT>mysql_passwd <DD> password to use <DT>mysql_hostnames <DD> comma separated host list <DT>mysql_database <DD>database to connect to <DT>mysql_statement <DD> select statement to use <DT>mysql_verbose <DD>if set, the plugin will print select statement to syslog) </DL> <p>The select statement used in the option <tt>mysql_statement</tt> is parsed for 3 place holders <tt>%u</tt>, <tt>%r</tt>, and <tt>%p</tt> they are replaced with username, realm, and property requested respectively. For example: <pre> mysql_statement: select %p from user_table where username = '%u' and realm = '%r' </pre> would send the following statement to MySQL for user "bovik" and the default realm for the machine "madoka.surf.org.uk": <pre> select userPassword from user_table where username = 'bovik' and realm = 'madoka.surf.org.uk' </pre> <font color=red>DO NOT put quotes around the statement but do around the arguments %r, %u, etc.</font> <DL compact> <DT><tt>%u</tt> <DD>the username the user logged in as <DT><tt>%p</tt> <DD>the property requested this could technically be anything but sasl authentication will try userPassword and cmusaslsecretMECHNAME (where MECHNAME is the name of a mechanism). <DT><tt>%r</tt> <DD>the realm which could be the kerbros realm, the FQDN of the computer the sasl app is on or what ever is after the @ on a username. (read the realm documentation) </DL> <p>All substitutions do not have to be used. For instance, "<tt>select password from auth where username = '%u'</tt>" is a valid value for "<tt>mysql_statement</tt>". <hr> Back to the <A href=index.html>index</a> </body> </html>