|[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]|
It would not be too difficult to make the support a lot better. My command line looks like this:/usr/sbin/saslauthd -m /var/run/saslauthd -O /etc/saslauthd.conf -a ldap -V -O /etc/saslauthd-httpform.conf -a httpform
The return value of the second mech is not currently used but that is easy to change. I use the httpform as a way of synchronising passwords to other systems. For a generic solution some syntax regarding what to do on success or failure would need to be developed.
My patches also allow per realm configuration for the ldap mech and fixes some bugs in the httpform mech.
If you want the patches, let me know. John. Mike Culbertson wrote:
I'm not sure we're talking about the same thing. I'm actually asking about the auth mechanisms used by saslauthd, that are specified on the command line when you run the daemon such as getpwent, kerberos5, pam, ldap, etc. i.e.: /usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 5 Based on the man page, it sounds like you would be able to do something like this to auth off of multiple backend sources: /usr/sbin/saslauthd -a kerberos5 -a ldap -c -m /var/run/saslauthd -n 5 But neither that nor any other style of arguments work to specify multiple mechs. I think this is a simple miswording in the man page, but it warrants clarification. In my case, we fell back to using 'pam' and handling multiple auth backends with pam modules. It would certainly be nicer if saslauthd could do this without PAM though. -Mike On Jun 16, 2010, at 4:03 PM, Henry B. Hotz wrote:If you go back a few years there's an exchange between Simon Wilkinson and me where he describes how to do it. Basically you get the server's list of available mech's, try to connect, if it fails then you erase the chosen (failed) mech from the list and start over. You stop on success or when the error returned is no available mechs. This is programmatically more complex than the published sample code. The opposing viewpoint (from Ken Hornstein, who also deserves respect) is that it makes everything more complex and less reliable, and you're better off just picking a single one for any given specific usage of SASL, even if your server supports more than one. On Jun 16, 2010, at 2:24 PM, Mike Culbertson wrote:I'm aware that this has come up before (http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2007-September/001188.html)but (on Debian) the manpage for saslauthd states: saslauthd supports one or more "authentication mechanisms" so it's not entirely clear what the correct answer is. Is there any way at all to use multiple auth mechs, aside from doing it through PAM? TIA - Mike------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz@xxxxxxxxxxxx, or hbhotz@xxxxxxx
-- John Newbigin ITS Senior Analyst / Programmer Faculty of Information and Communication Technologies Swinburne University of Technology Melbourne, Australia http://www.ict.swin.edu.au/staff/jnewbigin