'\" -*- coding: UTF-8 -*-
.if \n(.g .ds T< \\FC
.if \n(.g .ds T> \\F[\n[.fam]]
.de URL
\\$2 \(la\\$1\(ra\\$3
..
.if \n(.g .mso www.tmac
.TH libsasl 5 "15 April 2022" "" ""
.SH NAME
libsasl \- authentication library
.SH SYNOPSIS
Cyrus SASL library handling communication between an application and
the Cyrus SASL authentication framework.
.SH Description
This document describes generic configuration options for the Cyrus
SASL authentication library \*(T<libsasl\*(T>.
.PP
The library handles communication between an application and the
Cyrus SASL authentication framework. Both exchange information before
\*(T<libsasl\*(T> can start offering
authentication services for the application.
.PP
The application, among other data, sends the
\*(T<service_name\*(T>. The service name is the services name
as specified by IANA. SMTP servers, for example, send
\*(T<\fBsmtp\fR\*(T> as \*(T<service_name\*(T>. This
information is handed over by \*(T<libsasl\*(T> e.g. when Kerberos or PAM
authentication takes place.
.PP
Configuration options in general are read either from a file or
passed by the application using \*(T<libsasl\*(T> during library initialization.
.SH "File-Based configuration"
When an application (server) starts, it initializes the
\*(T<libsasl\*(T> library. The
application passes \*(T<app_name\*(T> (application name) to
the SASL library. Its value is used to construct the name of the
application specific SASL configuration file. The Cyrus SASL
sample-server, for example, sends \*(T<\fBsample\fR\*(T> as
\*(T<app_name\*(T>. Using this value the SASL library will
search the configuration directories for a file named
\*(T<\fIsample.conf\fR\*(T> and read configuration options from
it.
.RS 
\fBNote\fR
.PP
Consult the applications manual to determine what
\*(T<app_name\*(T> it sends to the Cyrus SASL
library.
.RE
.SH "Application-Based Configuration"
Configuration options for \*(T<libsasl\*(T> are written down together with
application specific options in the applications configuration file. The
application reads them and passes them over to \*(T<libsasl\*(T> when it loads the library.
.RS 
\fBNote\fR
.PP
An example for application-based configuration is the Cyrus IMAP
server \*(T<imapd\*(T>. SASL
configuration is written to \*(T<\fIimapd.conf\fR\*(T> and passed
to the SASL library when the \*(T<imapd\*(T> server starts.
.RE
.SH "Configuration Syntax"
The general format of Cyrus SASL configuration file is as
follows:
.TP 
Configuration options
Configuration options are written each on a single physical
line. Parameter and value must be separated by a colon and a single
whitespace:

.nf
\*(T<parameter: value\*(T>
.fi
.RS 
\fBImportant\fR

There must be no trailing whitespace after the value or
Cyrus SASL will fail to apply the value appropriately!
.RE
.TP 
Comments, Empty lines and whitespace-only lines
Empty lines and whitespace-only lines are ignored, as are
lines whose first non-whitespace character is a
\(oq#\(cq.
.SH Options
There are generic options and options specific to the password
verification service or auxiliary property plugin chosen by the
administrator. Such specific options are documented in manuals listed in
\fBlibsasl\fR(5).
.PP
The following configuration parameters are generic configuration
options:
.TP 
\*(T<authdaemond_path\*(T> (default: \*(T<\fB/dev/null\fR\*(T>)
Path to Courier MTA authdaemond's unix socket. Only applicable
when \*(T<pwcheck_method\*(T> is set to
\*(T<\fBauthdaemond\fR\*(T>.
.TP 
\*(T<auto_transition\*(T>: (default: \*(T<\fBno\fR\*(T>)
Automatically transition users to other mechanisms when they
do a successful plaintext authentication and if an auxprop plugin is
used.
.RS 
\fBImportant\fR

This option does not apply to the \fBldapdb\fR(5) plugin. It is a read-only plugin.
.RE
.RS 
.TP 
\*(T<\fBno\fR\*(T>
Do not transition users to other mechanisms.
.TP 
\*(T<\fBnoplain\fR\*(T>
Transition users to other mechanisms, but write
non-plaintext secrets only.
.TP 
\*(T<\fByes\fR\*(T>
Transition users to other mechanisms.
.RE
.RS 
\fBNote\fR

The only mechanisms (as currently implemented) which don't
use plaintext secrets are OTP and SRP.
.RE
.TP 
\*(T<auxprop_plugin\*(T>: (default: empty)
A whitespace-separated list of one or more auxiliary plugins
used if the \*(T<pwcheck_method\*(T> parameter
specifies \*(T<\fBauxprop\fR\*(T> as an option. Plugins will be
queried in list order. If no plugin is specified, all available
plugins will be queried.
.RS 
.TP 
\*(T<\fBldapdb\fR\*(T>
Specify \*(T<\fBldapdb\fR\*(T> to use the Cyrus SASL
\fBldapdb\fR(5) plugin.
.TP 
\*(T<\fBsasldb\fR\*(T>
Specify \*(T<\fBsasldb\fR\*(T> to use the Cyrus SASL
\fBsasldb\fR(5) plugin.
.TP 
\*(T<\fBsql\fR\*(T>
Specify \*(T<\fBsql\fR\*(T> to use the Cyrus SASL
\fBsql\fR(5) plugin.
.RE
.TP 
\*(T<log_level\*(T>: (default: \*(T<\fB1\fR\*(T>)
Specifies a numeric log level. Available log levels
are:
.RS 
.TP 
\*(T<\fB0\fR\*(T>
Don't log anything
.TP 
\*(T<\fB1\fR\*(T>
Log unusual errors
.TP 
\*(T<\fB2\fR\*(T>
Log all authentication failures
.TP 
\*(T<\fB3\fR\*(T>
Log non-fatal warnings
.TP 
\*(T<\fB4\fR\*(T>
More verbose than 3
.TP 
\*(T<\fB5\fR\*(T>
More verbose than 4
.TP 
\*(T<\fB6\fR\*(T>
Traces of internal protocols
.TP 
\*(T<\fB7\fR\*(T>
Traces of internal protocols, including passwords
.RE
.RS 
\fBImportant\fR

Cyrus SASL sends log messages to the application that runs
it. The application decides if it forwards such messages to the
\fBsysklogd\fR(8) service, to which
\*(T<facility\*(T> they are sent and which
\*(T<priority\*(T> is given to the message.
.RE
.TP 
\*(T<mech_list\*(T>: (default: empty)
The optional \*(T<mech_list\*(T> parameter
specifies a whitespace-separated list of one or more mechanisms
allowed for authentication.
.TP 
\*(T<pwcheck_method\*(T>: (default: \*(T<\fBauxprop\fR\*(T>)
A whitespace-separated list of one or more mechanisms. Cyrus
SASL provides the following mechanisms:
.RS 
.TP 
\*(T<\fBauthdaemond\fR\*(T>
Configures Cyrus SASL to contact the Courier MTA
\fBauthdaemond\fR(8) password verification service for password
verification.
.TP 
\*(T<\fBalwaystrue\fR\*(T>
Lets the pwcheck succeed always.
.TP 
\*(T<\fBauxprop\fR\*(T>
Cyrus SASL will use its own plugin infrastructure to
verify passwords. The
\*(T<auxprop_plugin\*(T>
parameter controls which plugins will be used.
.TP 
\*(T<\fBpwcheck\fR\*(T>
Verify passwords using the Cyrus SASL \fBpwcheck\fR(8) password verification service. The pwcheck
daemon is considered deprecated and should not be used
anymore. Use the saslauthd password verification service
instead.
.TP 
\*(T<\fBsaslauthd\fR\*(T>
Verify passwords using the Cyrus SASL \fBsaslauthd\fR(8) password verification service.
.RE
.TP 
\*(T<saslauthd_path\*(T>: (default: empty)
Path to \fBsaslauthd\fR(8) run directory (including the
\*(T<\fI/mux\fR\*(T> named pipe)
.SH "See also"
\fBauthdaemond\fR(5), \fBldapdb\fR(5), \fBlibsasl\fR(5), \fBsaslauthd\fR(8), \fBsaslauthd.conf\fR(5), \fBsaslpasswd2\fR(5), \fBsasldblistusers2\fR(5), \fBsasldb\fR(5), \fBsql\fR(5)
.SH Author
This manual was written for the Debian distribution because the
original program does not have a manual page. Parts of the documentation
have been taken from the Cyrus SASL's
\*(T<\fIoptions.html\fR\*(T>.
.PP
.RS 
.nf
Patrick Ben Koetter
<\*(T<p@state\-of\-mind.de\*(T>>
.fi
.RE