[Pkg-cyrus-sasl2-commits] r399 - in /cyrus-sasl-2.1/trunk/debian/doc: ./ TODO auxprop-ldapdb.5.xml auxprop-sasldb.5.xml auxprop-sql.5.xml ldapdb.5 libsasl.5 libsasl.5.xml saslauthd.conf.5 saslauthd.conf.5.xml sasldb.5 sql.5
pbk-guest at users.alioth.debian.org
pbk-guest at users.alioth.debian.org
Wed Dec 3 22:49:33 UTC 2008
Author: pbk-guest
Date: Wed Dec 3 22:49:32 2008
New Revision: 399
URL: http://svn.debian.org/wsvn/pkg-cyrus-sasl2/?sc=1&rev=399
Log:
First checkin of SASL man pages. Still a long way to go and many things are still moving
Added:
cyrus-sasl-2.1/trunk/debian/doc/
cyrus-sasl-2.1/trunk/debian/doc/TODO
cyrus-sasl-2.1/trunk/debian/doc/auxprop-ldapdb.5.xml
cyrus-sasl-2.1/trunk/debian/doc/auxprop-sasldb.5.xml
cyrus-sasl-2.1/trunk/debian/doc/auxprop-sql.5.xml
cyrus-sasl-2.1/trunk/debian/doc/ldapdb.5
cyrus-sasl-2.1/trunk/debian/doc/libsasl.5
cyrus-sasl-2.1/trunk/debian/doc/libsasl.5.xml
cyrus-sasl-2.1/trunk/debian/doc/saslauthd.conf.5
cyrus-sasl-2.1/trunk/debian/doc/saslauthd.conf.5.xml
cyrus-sasl-2.1/trunk/debian/doc/sasldb.5
cyrus-sasl-2.1/trunk/debian/doc/sql.5
Added: cyrus-sasl-2.1/trunk/debian/doc/TODO
URL: http://svn.debian.org/wsvn/pkg-cyrus-sasl2/cyrus-sasl-2.1/trunk/debian/doc/TODO?rev=399&op=file
==============================================================================
--- cyrus-sasl-2.1/trunk/debian/doc/TODO (added)
+++ cyrus-sasl-2.1/trunk/debian/doc/TODO Wed Dec 3 22:49:32 2008
@@ -1,0 +1,4 @@
+Write manual for
+- authdaemond(8)
+- sql(5)
+- pwcheck_method: alwaystrue
Added: cyrus-sasl-2.1/trunk/debian/doc/auxprop-ldapdb.5.xml
URL: http://svn.debian.org/wsvn/pkg-cyrus-sasl2/cyrus-sasl-2.1/trunk/debian/doc/auxprop-ldapdb.5.xml?rev=399&op=file
==============================================================================
--- cyrus-sasl-2.1/trunk/debian/doc/auxprop-ldapdb.5.xml (added)
+++ cyrus-sasl-2.1/trunk/debian/doc/auxprop-ldapdb.5.xml Wed Dec 3 22:49:32 2008
@@ -1,0 +1,223 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
+<refentry lang="en">
+ <refmeta>
+ <refentrytitle>ldapdb</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>ldapdb</refname>
+
+ <refpurpose>Cyrus SASL auxprop plugin to access LDAP authentication
+ backends</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <para><parameter>auxprop_plugin</parameter>:
+ <option>ldapdb</option></para>
+ </refsynopsisdiv>
+
+ <refsection>
+ <title>Description</title>
+
+ <para>This document describes configuration options for the Cyrus SASL
+ auxiliary property plugin <option>ldapdb</option>.</para>
+
+ <para>This plugin reads all user data from an OpenLDAP server. It requires
+ configuration of the <option>ldapdb</option> plugin and of the LDAP
+ server. The <option>ldapdb</option> plugin must name a proxy user. The
+ proxy user must (also) SASL authenticate at the LDAP server. The LDAP
+ server must authorize the <option>ldapdb</option> proxy user to access the
+ authenticating users <parameter>userPassword</parameter>.</para>
+ </refsection>
+
+ <refsection>
+ <title>Options</title>
+
+ <para>The following configuration parameters are applicable in the context
+ of the <option>ldapdb</option> plugin:</para>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>ldapdb_uri</option> (default: empty)</term>
+
+ <listitem>
+ <para>Specifies a whitespace-separated list of LDAP servers
+ (authentication backends). Use <option>ldapi://</option>...,
+ <option>ldap://</option>... or <option>ldaps://</option>... to
+ specify how the servers should be contacted.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>ldapdb_id</option> (default: empty)</term>
+
+ <listitem>
+ <para>Specifies the proxy user name (authentication id) who logs
+ into the LDAP server in order to retrieve the authenticating users
+ <parameter>userPassword</parameter>.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>ldapdb_mech</option> (default: empty)</term>
+
+ <listitem>
+ <para>Sets the SASL mechanism the <option>ldapdb</option> plugin
+ (client) should use when it SASL connects to the LDAP server.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>ldapdb_pw</option> (default: empty)</term>
+
+ <listitem>
+ <para>Specifies the password used by
+ <parameter>ldapdb_id</parameter>. The password must be written in
+ cleartext.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>ldapdb_rc</option> (default: empty)</term>
+
+ <listitem>
+ <para>Specifies a path to a file that contains configuration options
+ to override system-wide defaults when running ldap clients (see
+ also: <citerefentry>
+ <refentrytitle>ldap.conf</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry>).</para>
+
+ <para>The main purpose behind this option is to drop transmission of
+ <parameter>ldapdb_pw</parameter> in favor of a client TLS
+ certificate specified in <parameter>ldapdb_rc</parameter>, so that
+ SASL/EXTERNAL may be used between the ldapdb plugin and the LDAP
+ server.</para>
+
+ <note>
+ <para>This is the most optimal way to use the ldapdb plugin when
+ the servers are on separate machines - the connection is encrypted
+ and password transmission is not necessary because the client is
+ identified by its TLS client certificate.</para>
+ </note>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>ldapdb_starttls</option> (default: empty)</term>
+
+ <listitem>
+ <para>Enable encrypted communication using StartTLS. Valid options
+ are:</para>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>try</option></term>
+
+ <listitem>
+ <para>StartTLS encrypted communication is attempted. If it
+ fails the client communicates unencrypted.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>demand</option></term>
+
+ <listitem>
+ <para>StartTLS encrypted communication is required. If it
+ fails the client aborts the connection.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsection>
+
+ <refsection>
+ <title>Example</title>
+
+ <para>The following example shows a typical <option>ldapdb</option>
+ configuration.</para>
+
+ <programlisting>pwcheck_method: auxprop
+auxprop_plugin: ldapdb
+mech_list: PLAIN LOGIN NTLM CRAM-MD5 DIGEST-MD5
+ldapdb_uri: ldap://localhost ldaps://ldap.example.com
+ldapdb_id: proxyuser
+ldapdb_pw: proxypass
+ldapdb_mech: DIGEST-MD5</programlisting>
+ </refsection>
+
+ <refsection>
+ <title>See also</title>
+
+ <para><citerefentry>
+ <refentrytitle>authdaemond</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry>, Cyrus SASL password verification service</para>
+
+ <para><citerefentry>
+ <refentrytitle>ldapdb</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry>, Cyrus SASL auxprop plugin to access LDAP authentication
+ backends</para>
+
+ <para><citerefentry>
+ <refentrytitle>saslauthd</refentrytitle>
+
+ <manvolnum>8</manvolnum>
+ </citerefentry>, Cyrus SASL password verification service</para>
+
+ <para><citerefentry>
+ <refentrytitle>saslauthd.conf</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry>, Cyrus SASL saslauthd LDAP configuration file</para>
+
+ <para><citerefentry>
+ <refentrytitle>saslpasswd2</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry>, set a user’s SASL password</para>
+
+ <para><citerefentry>
+ <refentrytitle>sasldblistusers2</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry>, list users in sasldb</para>
+
+ <para><citerefentry>
+ <refentrytitle>sasldb</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry>, Cyrus SASL auxprop plugin to access the sasldb
+ authentication backend</para>
+
+ <para><citerefentry>
+ <refentrytitle>sql</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry>, Cyrus SASL auxprop plugin to access SQL authentication
+ backends</para>
+ </refsection>
+
+ <refsection>
+ <title>Author</title>
+
+ <para>This manual was written for the Debian distribution because the
+ original program does not have a manual page. Parts of the documentation
+ have been taken from the Cyrus SASL's
+ <filename>options.html</filename>.</para>
+
+ <para><address>Patrick Ben Koetter
+<email>p at state-of-mind.de</email></address></para>
+ </refsection>
+</refentry>
Added: cyrus-sasl-2.1/trunk/debian/doc/auxprop-sasldb.5.xml
URL: http://svn.debian.org/wsvn/pkg-cyrus-sasl2/cyrus-sasl-2.1/trunk/debian/doc/auxprop-sasldb.5.xml?rev=399&op=file
==============================================================================
--- cyrus-sasl-2.1/trunk/debian/doc/auxprop-sasldb.5.xml (added)
+++ cyrus-sasl-2.1/trunk/debian/doc/auxprop-sasldb.5.xml Wed Dec 3 22:49:32 2008
@@ -1,0 +1,156 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
+<refentry>
+ <refmeta>
+ <refentrytitle>sasldb</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>sasldb</refname>
+
+ <refpurpose>Cyrus SASL auxprop plugin to access the sasldb authentication
+ backend</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <para><parameter>auxprop_plugin</parameter>:
+ <option>sasldb</option></para>
+ </refsynopsisdiv>
+
+ <refsection>
+ <title>Description</title>
+
+ <para>This document describes configuration options for the Cyrus SASL
+ auxiliary property plugin <option>sasldb</option>.</para>
+
+ <para><option>sasldb</option> is the default and fallback plugin. It will
+ be used if explicitly configured, but also if other mechanisms have failed
+ to load e.g. because they haven't been configured properly.</para>
+
+ <para>This plugin reads all user data from a Berkeley database. On Debian
+ systems the default location for this database is
+ <filename>/etc/sasldb2</filename>.</para>
+
+ <para>Passwords are stored in plaintext format to enable usage of
+ shared-secret mechanisms. To protect the passwords, access has been
+ restricted to user <systemitem class="username">root</systemitem> and
+ group <systemitem class="groupname">sasl</systemitem>. An application must
+ be member of the <systemitem class="groupname">sasl</systemitem> group to
+ conduct <option>sasldb</option> SASL authentication.</para>
+
+ <para>Use the <citerefentry>
+ <refentrytitle>saslpasswd2</refentrytitle>
+
+ <manvolnum>8</manvolnum>
+ </citerefentry> utility to create and modify <option>sasldb</option>
+ users. The <citerefentry>
+ <refentrytitle>sasldblistusers2</refentrytitle>
+
+ <manvolnum>8</manvolnum>
+ </citerefentry> command prints a list of existing
+ <option>sasldb</option> users to <literal>STDOUT</literal>.</para>
+ </refsection>
+
+ <refsection>
+ <title>Options</title>
+
+ <para>The following configuration parameters are applicable in the context
+ of the <option>sasldb</option> plugin:</para>
+
+ <variablelist>
+ <varlistentry>
+ <term><parameter>sasldb_path</parameter>: (default:
+ <filename>/etc/sasldb2</filename>)</term>
+
+ <listitem>
+ <para>Specifies the path to the database when
+ <parameter>auxprop_plugin</parameter>: <option>sasldb</option> is
+ used. The default path is system dependant, but usually
+ <filename>/etc/sasldb2</filename>.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsection>
+
+ <refsection>
+ <title>Example</title>
+
+ <para>The following example shows a typical <option>sasldb</option>
+ configuration. The database is located at the default location
+ <filename>/etc/sasldb2</filename>.</para>
+
+ <programlisting>pwcheck_method: auxprop
+auxprop_plugin: sasldb
+mech_list: plain login cram-md5 digest-md5</programlisting>
+ </refsection>
+
+ <refsection>
+ <title>See also</title>
+
+ <para><citerefentry>
+ <refentrytitle>authdaemond</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry>, Cyrus SASL password verification service</para>
+
+ <para><citerefentry>
+ <refentrytitle>ldapdb</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry>, Cyrus SASL auxprop plugin to access LDAP authentication
+ backends</para>
+
+ <para><citerefentry>
+ <refentrytitle>saslauthd</refentrytitle>
+
+ <manvolnum>8</manvolnum>
+ </citerefentry>, Cyrus SASL password verification service</para>
+
+ <para><citerefentry>
+ <refentrytitle>saslauthd.conf</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry>, Cyrus SASL saslauthd LDAP configuration file</para>
+
+ <para><citerefentry>
+ <refentrytitle>saslpasswd2</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry>, set a user’s SASL password</para>
+
+ <para><citerefentry>
+ <refentrytitle>sasldblistusers2</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry>, list users in sasldb</para>
+
+ <para><citerefentry>
+ <refentrytitle>sasldb</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry>, Cyrus SASL auxprop plugin to access the sasldb
+ authentication backend</para>
+
+ <para><citerefentry>
+ <refentrytitle>sql</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry>, Cyrus SASL auxprop plugin to access SQL authentication
+ backends</para>
+ </refsection>
+
+ <refsection>
+ <title>Author</title>
+
+ <para>This manual was written for the Debian distribution because the
+ original program does not have a manual page. Parts of the documentation
+ have been taken from the Cyrus SASL's
+ <filename>options.html</filename>.</para>
+
+ <para><address>Patrick Ben Koetter
+<email>p at state-of-mind.de</email></address></para>
+ </refsection>
+</refentry>
Added: cyrus-sasl-2.1/trunk/debian/doc/auxprop-sql.5.xml
URL: http://svn.debian.org/wsvn/pkg-cyrus-sasl2/cyrus-sasl-2.1/trunk/debian/doc/auxprop-sql.5.xml?rev=399&op=file
==============================================================================
--- cyrus-sasl-2.1/trunk/debian/doc/auxprop-sql.5.xml (added)
+++ cyrus-sasl-2.1/trunk/debian/doc/auxprop-sql.5.xml Wed Dec 3 22:49:32 2008
@@ -1,0 +1,332 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
+<refentry>
+ <refmeta>
+ <refentrytitle>sql</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>sql</refname>
+
+ <refpurpose>Cyrus SASL auxprop plugin to access sql authentication
+ backends</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <para><parameter>auxprop_plugin</parameter>: <option>sql</option></para>
+ </refsynopsisdiv>
+
+ <refsection>
+ <title>Description</title>
+
+ <para>This document describes configuration options for the Cyrus SASL
+ auxiliary property plugin <option>sql</option>.</para>
+
+ <para><option>sql</option> is a generic plugin for various SQL backends.
+ Currently it provides access to either MySQL, PostgreSQL or SQLite
+ databases.</para>
+
+ <note>
+ <para>The plugin requires that passwords are stored in plaintext format
+ to use shared-secret mechanisms.</para>
+ </note>
+ </refsection>
+
+ <refsection>
+ <title>Configuration Syntax</title>
+
+ <para>The following syntax is mandatory for <option>sql</option> plugin
+ configuration:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para>SQL statements specified with <parameter>sql_select</parameter>,
+ <parameter>sql_select</parameter> and
+ <parameter>sql_select</parameter> must not be enclosed in
+ quotes.</para>
+ </listitem>
+
+ <listitem>
+ <para>Macros, e.g. <option>%u</option>, <option>%r</option> and
+ <option>%v</option>, specified within SQL statements must be quoted
+ individually.</para>
+ </listitem>
+ </itemizedlist>
+
+ <para>See <xref linkend="example" /> for a valid configuration
+ example.</para>
+ </refsection>
+
+ <refsection>
+ <title>Options</title>
+
+ <para>The following configuration parameters are applicable in the context
+ of the <option>sql</option> plugin:</para>
+
+ <variablelist>
+ <varlistentry>
+ <term><parameter>sql_engine</parameter> (default:
+ <option>mysql</option>)</term>
+
+ <listitem>
+ <para>Specifies the type of SQL engine to use for connections to the
+ SQL backend. The following types are available:</para>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>mysql</option></term>
+
+ <listitem>
+ <para>Enables the mysql driver for connections to a MySQL
+ server.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>pgsql</option></term>
+
+ <listitem>
+ <para>Enables the pgsql driver for connections to a PostgreSQL
+ server.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>sqlite</option></term>
+
+ <listitem>
+ <para>Enables the sqlite driver for connections to a SQLite
+ server.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>sql_hostnames</parameter> (default: empty)</term>
+
+ <listitem>
+ <para>A comma-separated list of one or more SQL servers the plugin
+ should try to connect to and query from. Specify servers separated
+ in <literal>hostname[:port]</literal> format.</para>
+
+ <note>
+ <para>Specify <systemitem class="server">localhost</systemitem>
+ when using the MySQL engine to communicate over a UNIX domain
+ socket and <systemitem class="ipaddress">127.0.0.1</systemitem> to
+ attempt a connection that uses a TCP socket.</para>
+ </note>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>sql_user</parameter> (default empty)</term>
+
+ <listitem>
+ <para>Configures the username the plugin will send when it
+ authenticates to the SQL server.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>sql_passwd</parameter> (defaults: empty)</term>
+
+ <listitem>
+ <para>Configures the password the plugin will send when it
+ authenticates to the SQL server.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>sql_database</parameter> (default: empty)</term>
+
+ <listitem>
+ <para>Specifies the name of the database which contains auxiliary
+ properties (e.g. username, realm, password etc.)</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>sql_select</parameter> (default: empty)</term>
+
+ <listitem>
+ <para>Mandatory <literal>SELECT</literal> statement used to fetch
+ properties from the SQL database.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>sql_insert</parameter> (default: empty)</term>
+
+ <listitem>
+ <para>Optional <literal>INSERT</literal> statement used to create
+ properties for new users in the SQL database.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>sql_update</parameter> (default: empty)</term>
+
+ <listitem>
+ <para>Optional <literal>UPDATE</literal> statement used to modify
+ properties in the SQL database.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>sql_usessl</parameter> (default:
+ <option>no</option>)</term>
+
+ <listitem>
+ <para>Specify either <option>yes</option>, <option>on</option>,
+ <option>1</option> or <option>true</option>, and the plugin will try
+ to establish a secure connection to the SQL server.</para>
+
+ <remark>Does this really work? I remember it doesn't ...</remark>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+
+ <refsection>
+ <title>Macros</title>
+
+ <para>The sql plugin provides macros to build
+ <parameter>sql_select</parameter>, <parameter>sql_select</parameter> and
+ <parameter>sql_select</parameter> statements. They will be replaced with
+ arguments sent from the client. The following macros exist:</para>
+
+ <variablelist>
+ <varlistentry>
+ <term>%u</term>
+
+ <listitem>
+ <para>The name of the user whose properties are being selected,
+ inserted or updated.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%p</term>
+
+ <listitem>
+ <para>The name of the property being selected, inserted or
+ updated. While this could technically be anything, Cyrus SASL will
+ try <parameter>userPassword</parameter> and
+ <parameter>cmusaslsecret<replaceable>MECHNAME</replaceable></parameter>
+ (where <replaceable>MECHNAME</replaceable> is the name of a SASL
+ mechanism).</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%r</term>
+
+ <listitem>
+ <para>Name of the realm to which the user belongs. This could be
+ the KERBEROS realm, the FQDN of the computer the SASL application
+ is running on or whatever is after the @ on a username.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%v</term>
+
+ <listitem>
+ <para>Value of the property being stored during insert or update
+ operations. While this could technically be anything depending on
+ the property itself, it generally is a
+ <parameter>userPassword</parameter>. </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsection>
+ </refsection>
+
+ <refsection id="example">
+ <title>Example</title>
+
+ <para>The following example shows a typical <option>sql</option>
+ configuration:</para>
+
+ <programlisting>pwcheck_method: auxprop
+auxprop_plugin: sql
+mech_list: plain login cram-md5 digest-md5
+sql_engine: pgsql
+sql_hostnames: 127.0.0.1, 192.0.2.1
+sql_user: username
+sql_passwd: secret
+sql_database: company
+sql_select: SELECT password FROM users WHERE user = '%u'@'%r'</programlisting>
+ </refsection>
+
+ <refsection>
+ <title>See also</title>
+
+ <para><citerefentry>
+ <refentrytitle>authdaemond</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry>, Cyrus SASL password verification service</para>
+
+ <para><citerefentry>
+ <refentrytitle>auxprop-ldapdb</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry>, Cyrus SASL auxprop plugin to access LDAP authentication
+ backends</para>
+
+ <para><citerefentry>
+ <refentrytitle>auxprop-sasldb</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry>, Cyrus SASL auxprop plugin to access the sasldb
+ authentication backend</para>
+
+ <para><citerefentry>
+ <refentrytitle>auxprop-sql</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry>, Cyrus SASL auxprop plugin to access SQL authentication
+ backends</para>
+
+ <para><citerefentry>
+ <refentrytitle>saslauthd</refentrytitle>
+
+ <manvolnum>8</manvolnum>
+ </citerefentry>, Cyrus SASL password verification service</para>
+
+ <para><citerefentry>
+ <refentrytitle>saslauthd.conf</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry>, Cyrus SASL saslauthd LDAP configuration file</para>
+
+ <para><citerefentry>
+ <refentrytitle>saslpasswd2</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry>, set a user’s SASL password</para>
+
+ <para><citerefentry>
+ <refentrytitle>sasldblistusers2</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry>, list users in sasldb</para>
+ </refsection>
+
+ <refsection>
+ <title>Author</title>
+
+ <para>This manual was written for the Debian distribution because the
+ original program does not have a manual page. Parts of the documentation
+ have been taken from the Cyrus SASL's
+ <filename>options.html</filename>.</para>
+
+ <para><address>Patrick Ben Koetter
+<email>p at state-of-mind.de</email></address></para>
+ </refsection>
+</refentry>
Added: cyrus-sasl-2.1/trunk/debian/doc/ldapdb.5
URL: http://svn.debian.org/wsvn/pkg-cyrus-sasl2/cyrus-sasl-2.1/trunk/debian/doc/ldapdb.5?rev=399&op=file
==============================================================================
--- cyrus-sasl-2.1/trunk/debian/doc/ldapdb.5 (added)
+++ cyrus-sasl-2.1/trunk/debian/doc/ldapdb.5 Wed Dec 3 22:49:32 2008
@@ -1,0 +1,143 @@
+.\" Title: ldapdb
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\" Date: 11/21/2008
+.\" Manual:
+.\" Source:
+.\"
+.TH "LDAPDB" "5" "11/21/2008" "" ""
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+ldapdb \- Cyrus SASL auxprop plugin to access LDAP authentication backends
+.SH "SYNOPSIS"
+.PP
+\fIauxprop_plugin\fR:
+\fBldapdb\fR
+.SH "DESCRIPTION"
+.PP
+This document describes configuration options for the Cyrus SASL auxiliary property plugin
+\fBldapdb\fR.
+.PP
+This plugin reads all user data from an OpenLDAP server. It requires configuration of the
+\fBldapdb\fR
+plugin and of the LDAP server. The
+\fBldapdb\fR
+plugin must name a proxy user. The proxy user must (also) SASL authenticate at the LDAP server. The LDAP server must authorize the
+\fBldapdb\fR
+proxy user to access the authenticating users
+\fIuserPassword\fR.
+.SH "OPTIONS"
+.PP
+The following configuration parameters are applicable in the context of the
+\fBldapdb\fR
+plugin:
+.PP
+\fBldapdb_uri\fR (default: empty)
+.RS 4
+Specifies a whitespace\-separated list of LDAP servers (authentication backends). Use
+\fBldapi://\fR...,
+\fBldap://\fR... or
+\fBldaps://\fR... to specify how the servers should be contacted.
+.RE
+.PP
+\fBldapdb_id\fR (default: empty)
+.RS 4
+Specifies the proxy user name (authentication id) who logs into the LDAP server in order to retrieve the authenticating users
+\fIuserPassword\fR.
+.RE
+.PP
+\fBldapdb_mech\fR (default: empty)
+.RS 4
+Sets the SASL mechanism the
+\fBldapdb\fR
+plugin (client) should use when it SASL connects to the LDAP server.
+.RE
+.PP
+\fBldapdb_pw\fR (default: empty)
+.RS 4
+Specifies the password used by
+\fIldapdb_id\fR. The password must be written in cleartext.
+.RE
+.PP
+\fBldapdb_rc\fR (default: empty)
+.RS 4
+Specifies a path to a file that contains configuration options to override system\-wide defaults when running ldap clients (see also:
+\fBldap.conf\fR(5)).
+.sp
+The main purpose behind this option is to drop transmission of
+\fIldapdb_pw\fR
+in favor of a client TLS certificate specified in
+\fIldapdb_rc\fR, so that SASL/EXTERNAL may be used between the ldapdb plugin and the LDAP server.
+.sp
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+\fBNote\fR
+This is the most optimal way to use the ldapdb plugin when the servers are on separate machines \- the connection is encrypted and password transmission is not necessary because the client is identified by its TLS client certificate.
+.RE
+.PP
+\fBldapdb_starttls\fR (default: empty)
+.RS 4
+Enable encrypted communication using StartTLS. Valid options are:
+.RS 4
+.PP
+\fBtry\fR
+.RS 4
+StartTLS encrypted communication is attempted. If it fails the client communicates unencrypted.
+.RE
+.PP
+\fBdemand\fR
+.RS 4
+StartTLS encrypted communication is required. If it fails the client aborts the connection.
+.RE
+.RE
+.RE
+.SH "EXAMPLE"
+.PP
+The following example shows a typical
+\fBldapdb\fR
+configuration.
+.sp
+.RS 4
+.nf
+pwcheck_method: auxprop
+auxprop_plugin: ldapdb
+mech_list: PLAIN LOGIN NTLM CRAM\-MD5 DIGEST\-MD5
+ldapdb_uri: ldap://localhost ldaps://ldap.example.com
+ldapdb_id: proxyuser
+ldapdb_pw: proxypass
+ldapdb_mech: DIGEST\-MD5
+.fi
+.RE
+.SH "SEE ALSO"
+.PP
+\fBauthdaemond\fR(5), Cyrus SASL password verification service
+.PP
+\fBldapdb\fR(5), Cyrus SASL auxprop plugin to access LDAP authentication backends
+.PP
+\fBsaslauthd\fR(8), Cyrus SASL password verification service
+.PP
+\fBsaslauthd.conf\fR(5), Cyrus SASL saslauthd LDAP configuration file
+.PP
+\fBsaslpasswd2\fR(5), set a user\(cqs SASL password
+.PP
+\fBsasldblistusers2\fR(5), list users in sasldb
+.PP
+\fBsasldb\fR(5), Cyrus SASL auxprop plugin to access the sasldb authentication backend
+.PP
+\fBsql\fR(5), Cyrus SASL auxprop plugin to access SQL authentication backends
+.SH "AUTHOR"
+.PP
+This manual was written for the Debian distribution because the original program does not have a manual page. Parts of the documentation have been taken from the Cyrus SASL's
+\fIoptions.html\fR.
+.PP
+.RS 4
+.nf
+Patrick Ben Koetter
+<p at state\-of\-mind.de>
+.fi
+.RE
Added: cyrus-sasl-2.1/trunk/debian/doc/libsasl.5
URL: http://svn.debian.org/wsvn/pkg-cyrus-sasl2/cyrus-sasl-2.1/trunk/debian/doc/libsasl.5?rev=399&op=file
==============================================================================
--- cyrus-sasl-2.1/trunk/debian/doc/libsasl.5 (added)
+++ cyrus-sasl-2.1/trunk/debian/doc/libsasl.5 Wed Dec 3 22:49:32 2008
@@ -1,0 +1,335 @@
+.\" Title: libsasl
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\" Date: 11/30/2008
+.\" Manual:
+.\" Source:
+.\"
+.TH "LIBSASL" "5" "11/30/2008" "" ""
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+libsasl \- Cyrus SASL authentication library
+.SH "SYNOPSIS"
+.HP 1
+ []
+.SH "DESCRIPTION"
+.PP
+This document describes generic configuration options for the Cyrus SASL authentication library
+\fIlibsasl\fR.
+.PP
+The library handles communication between an application and the Cyrus SASL authentication framework. Both exchange information before libsasl can start offering authentication services for the application.
+.PP
+The application, among other data, sends the
+\fIservice_name\fR.The service name is the services name as specified by IANA. SMTP servers, for example, send
+\fBsmtp\fR
+as service_name. This information is handed over by libsasl e.g. when Kerberos or PAM authentication takes place.
+.PP
+Configuration options in general are read either from a file or passed by the application using
+\fIlibsasl\fR
+during library initialization.
+.SS "File\-Based configuration"
+.PP
+When an application (server) starts, it initializes the
+\fIlibsasl\fR
+library. The application passes
+\fIapp_name\fR
+(application name) to the SASL library. Its value is used to construct the name of the application specific SASL configuration file. The Cyrus SASL sample\-server, for example, sends
+\fBsample\fR
+as
+\fIapp_name\fR. Using this value the SASL library will search the configuration directories for a file named
+\fIsample.conf\fR
+and read configuration options from it.
+.sp
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+\fBNote\fR
+.PP
+Consult the applications manual to determine what
+\fIapp_name\fR
+it sends to the Cyrus SASL library.
+.SS "Application\-Based Configuration"
+.PP
+Configuration options for
+\fIlibsasl\fR
+are written down together with application specific options in the applications configuration file. The application reads them and passes them over to
+\fIlibsasl\fR
+when it loads the library.
+.sp
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+\fBNote\fR
+.PP
+An example for application\-based configuration is the Cyrus IMAP server
+imapd. SASL configuration is written to
+\fIimapd.conf\fR
+and passed to the SASL library when the
+imapd
+server starts.
+.SH "CONFIGURATION SYNTAX"
+.PP
+The general format of Cyrus SASL configuration file is as follows:
+.PP
+Configuration options
+.RS 4
+Configuration options are written each on a single logical line. Parameter and value must be separated by a colon and a single whitespace:
+.sp
+.RS 4
+.nf
+parameter: value
+.fi
+.RE
+.sp
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+\fBImportant\fR
+There must be no trailing whitespace after the value or Cyrus SASL will fail to read the option!
+.RE
+.PP
+Comments, Emtpy lines and whitespace\-only lines
+.RS 4
+Empty lines and whitespace\-only lines are ignored, as are lines whose first non\-whitespace character is a
+\(lq#\(rq.
+.RE
+.SH "OPTIONS"
+.PP
+There are generic options and options specific to the password verification service or auxiliary property plugin choosen by the administrator. Such specific options are documented in manuals listed in
+the section called \(lqSEE ALSO\(rq.
+.PP
+The following configuration parameters are generic configuration options:
+.PP
+\fIauthdaemond_path\fR (default: \fB/dev/null\fR)
+.RS 4
+Path to Courier MTA authdaemond's unix socket. Only applicable when
+\fIpwcheck_method\fR
+is set to
+\fBauthdaemond\fR.
+.RE
+.PP
+\fIauto_transition\fR: (default: \fBno\fR)
+.RS 4
+Automatically transition users to other mechanisms when they do a successful plaintext authentication and if an auxprop plugin is used.
+.sp
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+\fBImportant\fR
+This option does not apply to the
+\fBldapdb\fR(5)
+plugin. It is a read\-only plugin.
+.RS 4
+.PP
+\fBno\fR
+.RS 4
+Do not transition users to other mechanisms.
+.RE
+.PP
+\fBnoplain\fR
+.RS 4
+Transition users to other mechanisms, but write non\-plaintext secrets only.
+.RE
+.PP
+\fByes\fR
+.RS 4
+Transition users to other mechanisms.
+.RE
+.RE
+.IP "" 4
+.sp
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+\fBNote\fR
+The only mechanisms (as currently implemented) which don't use plaintext secrets are OTP and SRP.
+.RE
+.PP
+\fIauxprop_plugin\fR: (default: empty)
+.RS 4
+A whitespace\-separated list of one or more auxiliary plugins used if the
+\fIpwcheck_method\fR
+parameter specifies
+\fBauxprop\fR
+as an option. Plugins will be queried in list order. If no plugin is specified, all available plugins will be queried.
+.RS 4
+.PP
+\fBldapdb\fR
+.RS 4
+Specify
+\fBldapdb\fR
+to use the Cyrus SASL
+\fBldapdb\fR(5)
+plugin.
+.RE
+.PP
+\fBsasldb\fR
+.RS 4
+Specify
+\fBsasldb\fR
+to use the Cyrus SASL
+\fBsasldb\fR(5)
+plugin.
+.RE
+.PP
+\fBsql\fR
+.RS 4
+Specify
+\fBsql\fR
+to use the Cyrus SASL
+\fBsql\fR(5)
+plugin.
+.RE
+.RE
+.RE
+.PP
+\fIlog_level\fR: (default: \fB1\fR)
+.RS 4
+Specifies a numeric log level. Available log levels are:
+.RS 4
+.PP
+\fB0\fR
+.RS 4
+Don't log anything
+.RE
+.PP
+\fB1\fR
+.RS 4
+Log unusual errors
+.RE
+.PP
+\fB2\fR
+.RS 4
+Log all authentication failures
+.RE
+.PP
+\fB3\fR
+.RS 4
+Log non\-fatal warnings
+.RE
+.PP
+\fB4\fR
+.RS 4
+More verbose than 3
+.RE
+.PP
+\fB5\fR
+.RS 4
+More verbose than 4
+.RE
+.PP
+\fB6\fR
+.RS 4
+Traces of internal protocols
+.RE
+.PP
+\fB7\fR
+.RS 4
+Traces of internal protocols, including passwords
+.RE
+.RE
+.IP "" 4
+.sp
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+\fBImportant\fR
+Cyrus SASL hands log messages up to the application that runs it. It is upon that application to decide if it forwards such messages to the
+\fBsysklogd\fR(8)
+service, to which
+\fIfacility\fR
+they are sent and which
+\fIpriority\fR
+is given to the message.
+.RE
+.PP
+\fImech_list\fR: (default: empty)
+.RS 4
+The optional
+\fImech_list\fR
+parameter specifies a whitespace\-separated list of one or more mechanisms allowed for authentication.
+.RE
+.PP
+\fIpwcheck_method\fR: (default: \fBauxprop\fR)
+.RS 4
+A whitespace\-separated list of one or more mechanisms. Cyrus SASL provides the following mechanisms:
+.RS 4
+.PP
+\fBauthdaemond\fR
+.RS 4
+Configures Cyrus SASL to contact the Courier MTA
+\fBauthdaemond\fR(8)
+password verification service for password verification.
+.RE
+.PP
+\fBalwaystrue\fR
+.RS 4
+TODO
+.RE
+.PP
+\fBauxprop\fR
+.RS 4
+Cyrus SASL will use its own plugin infrastructure to verify passwords. The
+\fI\fIauxprop_plugin\fR\fR
+parameter controls which plugins will be used.
+.RE
+.PP
+\fBpwcheck\fR
+.RS 4
+Verify passwords using the Cyrus SASL
+\fBpwcheck\fR(8)
+password verification service. The pwcheck daemon is considered deprecated and should not be used anymore. Use the saslauthd password verification service instead.
+.RE
+.PP
+\fBsaslauthd\fR
+.RS 4
+Verify passwords using the Cyrus SASL
+\fBsaslauthd\fR(8)
+password verification service.
+.RE
+.RE
+.RE
+.PP
+\fIsaslauthd_path\fR: (default: empty)
+.RS 4
+Path to saslauthd run directory (including the "/mux" named pipe)
+.RE
+.SH "SEE ALSO"
+.PP
+\fBauthdaemond\fR(5), Cyrus SASL password verification service
+.PP
+\fBldapdb\fR(5), Cyrus SASL auxprop plugin to access LDAP authentication backends
+.PP
+\fBlibsasl\fR(5), Cyrus SASL authentication library
+.PP
+\fBsaslauthd\fR(8), Cyrus SASL password verification service
+.PP
+\fBsaslauthd.conf\fR(5), Cyrus SASL saslauthd LDAP configuration file
+.PP
+\fBsaslpasswd2\fR(5), set a user\(cqs SASL password
+.PP
+\fBsasldblistusers2\fR(5), list users in sasldb
+.PP
+\fBsasldb\fR(5), Cyrus SASL auxprop plugin to access the sasldb authentication backend
+.PP
+\fBsql\fR(5), Cyrus SASL auxprop plugin to access SQL authentication backends
+.SH "AUTHOR"
+.PP
+This manual was written for the Debian distribution because the original program does not have a manual page. Parts of the documentation have been taken from the Cyrus SASL's
+\fIoptions.html\fR.
+.PP
+.RS 4
+.nf
+Patrick Ben Koetter
+<p at state\-of\-mind.de>
+.fi
+.RE
Added: cyrus-sasl-2.1/trunk/debian/doc/libsasl.5.xml
URL: http://svn.debian.org/wsvn/pkg-cyrus-sasl2/cyrus-sasl-2.1/trunk/debian/doc/libsasl.5.xml?rev=399&op=file
==============================================================================
--- cyrus-sasl-2.1/trunk/debian/doc/libsasl.5.xml (added)
+++ cyrus-sasl-2.1/trunk/debian/doc/libsasl.5.xml Wed Dec 3 22:49:32 2008
@@ -1,0 +1,500 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
+<refentry>
+ <refmeta>
+ <refentrytitle>libsasl</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>libsasl</refname>
+
+ <refpurpose>Cyrus SASL authentication library</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command></command>
+
+ <arg choice="opt"></arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsection>
+ <title>Description</title>
+
+ <para>This document describes generic configuration options for the Cyrus
+ SASL authentication library <filename>libsasl</filename>.</para>
+
+ <para>The library handles communication between an application and the
+ Cyrus SASL authentication framework. Both exchange information before
+ libsasl can start offering authentication services for the
+ application.</para>
+
+ <para>The application, among other data, sends the
+ <parameter>service_name</parameter>.The service name is the services name
+ as specified by IANA. SMTP servers, for example, send
+ <option>smtp</option> as service_name. This information is handed over by
+ libsasl e.g. when Kerberos or PAM authentication takes place.</para>
+
+ <para>Configuration options in general are read either from a file or
+ passed by the application using <filename>libsasl</filename> during
+ library initialization.</para>
+
+ <refsection>
+ <title>File-Based configuration</title>
+
+ <para>When an application (server) starts, it initializes the
+ <filename>libsasl</filename> library. The application passes
+ <parameter>app_name</parameter> (application name) to the SASL library.
+ Its value is used to construct the name of the application specific SASL
+ configuration file. The Cyrus SASL sample-server, for example, sends
+ <option>sample</option> as <parameter>app_name</parameter>. Using this
+ value the SASL library will search the configuration directories for a
+ file named <filename>sample.conf</filename> and read configuration
+ options from it.</para>
+
+ <note>
+ <para>Consult the applications manual to determine what
+ <parameter>app_name</parameter> it sends to the Cyrus SASL
+ library.</para>
+ </note>
+ </refsection>
+
+ <refsection>
+ <title>Application-Based Configuration</title>
+
+ <para>Configuration options for <filename>libsasl</filename> are written
+ down together with application specific options in the applications
+ configuration file. The application reads them and passes them over to
+ <filename>libsasl</filename> when it loads the library.</para>
+
+ <note>
+ <para>An example for application-based configuration is the Cyrus IMAP
+ server <systemitem class="daemon">imapd</systemitem>. SASL
+ configuration is written to <filename>imapd.conf</filename> and passed
+ to the SASL library when the <systemitem
+ class="daemon">imapd</systemitem> server starts.</para>
+ </note>
+ </refsection>
+ </refsection>
+
+ <refsection>
+ <title>Configuration Syntax</title>
+
+ <para>The general format of Cyrus SASL configuration file is as
+ follows:</para>
+
+ <variablelist>
+ <varlistentry>
+ <term>Configuration options</term>
+
+ <listitem>
+ <para>Configuration options are written each on a single logical
+ line. Parameter and value must be separated by a colon and a single
+ whitespace:</para>
+
+ <programlisting>parameter: value</programlisting>
+
+ <important>
+ <para>There must be no trailing whitespace after the value or
+ Cyrus SASL will fail to read the option!</para>
+ </important>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Comments, Emtpy lines and whitespace-only lines</term>
+
+ <listitem>
+ <para>Empty lines and whitespace-only lines are ignored, as are
+ lines whose first non-whitespace character is a
+ <quote>#</quote>.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsection>
+
+ <refsection>
+ <title>Options</title>
+
+ <para>There are generic options and options specific to the password
+ verification service or auxiliary property plugin choosen by the
+ administrator. Such specific options are documented in manuals listed in
+ <xref linkend="seealso" />.</para>
+
+ <para>The following configuration parameters are generic configuration
+ options:</para>
+
+ <variablelist>
+ <varlistentry>
+ <term><parameter>authdaemond_path</parameter> (default:
+ <option>/dev/null</option>)</term>
+
+ <listitem>
+ <para>Path to Courier MTA authdaemond's unix socket. Only applicable
+ when <parameter>pwcheck_method</parameter> is set to
+ <option>authdaemond</option>.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>auto_transition</parameter>: (default:
+ <option>no</option>)</term>
+
+ <listitem>
+ <para>Automatically transition users to other mechanisms when they
+ do a successful plaintext authentication and if an auxprop plugin is
+ used.</para>
+
+ <important>
+ <para>This option does not apply to the <citerefentry>
+ <refentrytitle>ldapdb</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry> plugin. It is a read-only plugin.</para>
+ </important>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>no</option></term>
+
+ <listitem>
+ <para>Do not transition users to other mechanisms.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>noplain</option></term>
+
+ <listitem>
+ <para>Transition users to other mechanisms, but write
+ non-plaintext secrets only.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>yes</option></term>
+
+ <listitem>
+ <para>Transition users to other mechanisms.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+
+ <note>
+ <para>The only mechanisms (as currently implemented) which don't
+ use plaintext secrets are OTP and SRP.</para>
+ </note>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>auxprop_plugin</parameter>: (default: empty)</term>
+
+ <listitem>
+ <para>A whitespace-separated list of one or more auxiliary plugins
+ used if the <parameter>pwcheck_method</parameter> parameter
+ specifies <option>auxprop</option> as an option. Plugins will be
+ queried in list order. If no plugin is specified, all available
+ plugins will be queried.</para>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>ldapdb</option></term>
+
+ <listitem>
+ <para>Specify <option>ldapdb</option> to use the Cyrus SASL
+ <citerefentry>
+ <refentrytitle>ldapdb</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry> plugin.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>sasldb</option></term>
+
+ <listitem>
+ <para>Specify <option>sasldb</option> to use the Cyrus SASL
+ <citerefentry>
+ <refentrytitle>sasldb</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry> plugin.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>sql</option></term>
+
+ <listitem>
+ <para>Specify <option>sql</option> to use the Cyrus SASL
+ <citerefentry>
+ <refentrytitle>sql</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry> plugin.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>log_level</parameter>: (default:
+ <option>1</option>)</term>
+
+ <listitem>
+ <para>Specifies a numeric log level. Available log levels
+ are:</para>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>0</option></term>
+
+ <listitem>
+ <para>Don't log anything</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>1</option></term>
+
+ <listitem>
+ <para>Log unusual errors</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>2</option></term>
+
+ <listitem>
+ <para>Log all authentication failures</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>3</option></term>
+
+ <listitem>
+ <para>Log non-fatal warnings</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>4</option></term>
+
+ <listitem>
+ <para>More verbose than 3</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>5</option></term>
+
+ <listitem>
+ <para>More verbose than 4</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>6</option></term>
+
+ <listitem>
+ <para>Traces of internal protocols</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>7</option></term>
+
+ <listitem>
+ <para>Traces of internal protocols, including passwords</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+
+ <important>
+ <para>Cyrus SASL hands log messages up to the application that
+ runs it. It is upon that application to decide if it forwards such
+ messages to the <citerefentry>
+ <refentrytitle>sysklogd</refentrytitle>
+
+ <manvolnum>8</manvolnum>
+ </citerefentry> service, to which
+ <parameter>facility</parameter> they are sent and which
+ <parameter>priority</parameter> is given to the message.</para>
+ </important>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>mech_list</parameter>: (default: empty)</term>
+
+ <listitem>
+ <para>The optional <parameter>mech_list</parameter> parameter
+ specifies a whitespace-separated list of one or more mechanisms
+ allowed for authentication.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>pwcheck_method</parameter>: (default:
+ <option>auxprop</option>)</term>
+
+ <listitem>
+ <para>A whitespace-separated list of one or more mechanisms. Cyrus
+ SASL provides the following mechanisms:</para>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>authdaemond</option></term>
+
+ <listitem>
+ <para>Configures Cyrus SASL to contact the Courier MTA
+ <citerefentry>
+ <refentrytitle>authdaemond</refentrytitle>
+
+ <manvolnum>8</manvolnum>
+ </citerefentry> password verification service for password
+ verification.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>alwaystrue</option></term>
+
+ <listitem>
+ <para>TODO</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>auxprop</option></term>
+
+ <listitem>
+ <para>Cyrus SASL will use its own plugin infrastructure to
+ verify passwords. The
+ <parameter><parameter>auxprop_plugin</parameter></parameter>
+ parameter controls which plugins will be used.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>pwcheck</option></term>
+
+ <listitem>
+ <para>Verify passwords using the Cyrus SASL <citerefentry>
+ <refentrytitle>pwcheck</refentrytitle>
+
+ <manvolnum>8</manvolnum>
+ </citerefentry> password verification service. The pwcheck
+ daemon is considered deprecated and should not be used
+ anymore. Use the saslauthd password verification service
+ instead.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>saslauthd</option></term>
+
+ <listitem>
+ <para>Verify passwords using the Cyrus SASL <citerefentry>
+ <refentrytitle>saslauthd</refentrytitle>
+
+ <manvolnum>8</manvolnum>
+ </citerefentry> password verification service.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>saslauthd_path</parameter>: (default: empty)</term>
+
+ <listitem>
+ <para>Path to saslauthd run directory (including the "/mux" named
+ pipe)</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsection>
+
+ <refsection id="seealso">
+ <title>See also</title>
+
+ <para><citerefentry>
+ <refentrytitle>authdaemond</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry>, Cyrus SASL password verification service</para>
+
+ <para><citerefentry>
+ <refentrytitle>ldapdb</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry>, Cyrus SASL auxprop plugin to access LDAP authentication
+ backends</para>
+
+ <para><citerefentry>
+ <refentrytitle>libsasl</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry>, Cyrus SASL authentication library</para>
+
+ <para><citerefentry>
+ <refentrytitle>saslauthd</refentrytitle>
+
+ <manvolnum>8</manvolnum>
+ </citerefentry>, Cyrus SASL password verification service</para>
+
+ <para><citerefentry>
+ <refentrytitle>saslauthd.conf</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry>, Cyrus SASL saslauthd LDAP configuration file</para>
+
+ <para><citerefentry>
+ <refentrytitle>saslpasswd2</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry>, set a user’s SASL password</para>
+
+ <para><citerefentry>
+ <refentrytitle>sasldblistusers2</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry>, list users in sasldb</para>
+
+ <para><citerefentry>
+ <refentrytitle>sasldb</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry>, Cyrus SASL auxprop plugin to access the sasldb
+ authentication backend</para>
+
+ <para><citerefentry>
+ <refentrytitle>sql</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry>, Cyrus SASL auxprop plugin to access SQL authentication
+ backends</para>
+ </refsection>
+
+ <refsection>
+ <title>Author</title>
+
+ <para>This manual was written for the Debian distribution because the
+ original program does not have a manual page. Parts of the documentation
+ have been taken from the Cyrus SASL's
+ <filename>options.html</filename>.</para>
+
+ <para><address>Patrick Ben Koetter
+<email>p at state-of-mind.de</email></address></para>
+ </refsection>
+</refentry>
Added: cyrus-sasl-2.1/trunk/debian/doc/saslauthd.conf.5
URL: http://svn.debian.org/wsvn/pkg-cyrus-sasl2/cyrus-sasl-2.1/trunk/debian/doc/saslauthd.conf.5?rev=399&op=file
==============================================================================
--- cyrus-sasl-2.1/trunk/debian/doc/saslauthd.conf.5 (added)
+++ cyrus-sasl-2.1/trunk/debian/doc/saslauthd.conf.5 Wed Dec 3 22:49:32 2008
@@ -1,0 +1,433 @@
+.\" Title: saslauthd.conf
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\" Date: 11/21/2008
+.\" Manual:
+.\" Source:
+.\"
+.TH "SASLAUTHD.CONF" "5" "11/21/2008" "" ""
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+saslauthd.conf \- Cyrus SASL saslauthd LDAP configuration file
+.SH "SYNOPSIS"
+.HP 10
+\fBsaslauthd\fR [\-a\ ldap]
+.HP 10
+\fBsaslauthd\fR [\-a\ ldap] [\-O\ \fI/etc/saslauthd.conf\fR]
+.SH "DESCRIPTION"
+.PP
+This document describes LDAP configuration options for the Cyrus SASL password verification service
+\fBsaslauthd\fR.
+.PP
+By default, if only the authentication mechanism
+\fBldap\fR
+is specified,
+\fBsaslauthd\fR
+expects to find LDAP configuration options in
+\fI/usr/local/etc/saslauthd.conf\fR. This location can be overridden if the additional command line option
+\fB\-O\fR
+together with the location of the configuration file is specified at startup time.
+.PP
+The following are available ldap parameters. The defaults are probably adequate for most installations. Only
+\fI\fIldap_servers\fR\fR
+may need to be specified.
+.sp
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+\fBImportant\fR
+.PP
+Do not use quotes (\\"\\') in the parameter values.
+.PP
+\fIldap_auth_method\fR (default: \fBbind\fR|\fBfastbind\fR)
+.RS 4
+The bind method uses the LDAP bind facility to verify the password. The bind method is not available when
+\fIldap_use_sasl\fR
+is turned on. In that case saslauthd will use fastbind.
+.RS 4
+.PP
+\fBbind\fR
+.RS 4
+\fBbind\fR
+is the default auth method. When ldap_use_sasl is enabled, 'fastbind' is the default.
+.RE
+.PP
+\fBcustom\fR
+.RS 4
+The
+\fBcustom\fR
+method uses
+\fIuserPassword\fR
+attribute to verify the password. Supported hashes:
+crypt,
+md5, smd5,
+sha
+and
+ssha.
+Cleartext
+is supported as well.
+.RE
+.PP
+\fBfastbind\fR
+.RS 4
+The
+\fBfastbind\fR
+method \- when
+\fIldap_use_sasl\fR
+is
+\fBno\fR
+\- does away with the search and an extra anonymous bind in auth_bind, but makes two assumptions:
+.RS 4
+.TP 4
+1.
+Expanding the ldap_filter expression gives the user's fully\-qualified DN
+.TP 4
+2.
+There is no cost to staying bound as a named user
+.RE
+.RE
+.RE
+.RE
+.PP
+\fIldap_bind_dn\fR (default: empty)
+.RS 4
+Specify
+DN
+(distinguished name) to bind to the LDAP directory. Do not specify this parameter for the anonymous bind.
+.RE
+.PP
+\fIldap_bind_pw\fR (default: empty)
+.RS 4
+An alias for
+\fIldap_password\fR.
+.RE
+.PP
+\fIldap_default_domain\fR (default: empty)
+.RS 4
+An alias for
+\fIldap_default_realm\fR.
+.RE
+.PP
+\fIldap_default_realm\fR (default: empty)
+.RS 4
+The default realm is assigned to the
+\fB%r\fR
+token when realm is not available. See
+\fIldap_filter\fR
+for more.
+.RE
+.PP
+\fIldap_deref\fR (default: empty)
+.RS 4
+Specify how aliases dereferencing is handled during search. Should be one of
+\fBnever\fR,
+\fBalways\fR,
+\fBsearch\fR, or
+\fBfind\fR
+to specify that aliases are never dereferenced, always dereferenced, dereferenced when searching, or dereferenced only when locating the base object for the search.
+.RE
+.PP
+\fIldap_filter\fR (default: \fBuid=%u\fR)
+.RS 4
+Specify a filter. The following tokens can be used in the filter string:
+.RS 4
+.PP
+\fB%%\fR
+.RS 4
+This is replaced by a literal \(cq%\(cq character.
+.RE
+.PP
+\fB%u\fR
+.RS 4
+\fB%u\fR
+is replaced by the complete user string.
+.RE
+.PP
+\fB%U\fR
+.RS 4
+If the string is an address (\fB%u\fR),
+\fB%U\fR
+will be replaced by the local part of that address.
+.RE
+.PP
+\fB%d\fR
+.RS 4
+If the string is an address (\fB%u\fR),
+\fB%d\fR
+will be replaced by the domain part of that address. Otherwise it will be the same as
+\fB%r\fR.
+.RE
+.PP
+\fB%1\-9\fR
+.RS 4
+If the input key is
+user at mail.example.com, then
+\fB%1\fR
+is
+com,
+\fB%2\fR
+is
+example
+and
+\fB%3\fR
+is
+mail.
+.RE
+.PP
+\fB%s\fR
+.RS 4
+\fB%s\fR
+is replaced by the complete service string.
+.RE
+.PP
+\fB%r\fR
+.RS 4
+\fB%r\fR
+is replaced by the complete realm string.
+.RE
+.PP
+\fB%D\fR
+.RS 4
+\fB%D\fR
+is replaced by the complete user DN (available for group checks)
+.RE
+.RE
+.IP "" 4
+The
+\fB%u\fR
+token has to be used at minimum for the filter to be useful. If
+\fIldap_auth_method\fR
+is
+\fBbind\fR, the filter will search for the
+DN
+(distinguished name) attribute. Otherwise, the search will look for the
+\fIldap_password_attr\fR
+attribute.
+.RE
+.PP
+\fIldap_group_attr\fR (default: \fBuniqueMember\fR)
+.RS 4
+Specify what attribute to compare the user DN against in the group. If
+\fIldap_group_dn\fR
+is not specified, this parameter is ignored. If
+\fIldap_group_match_method\fR
+is not
+\fBattr\fR, this parameter is ignored.
+.RE
+.PP
+\fIldap_group_dn\fR (default: empty)
+.RS 4
+If specified, the user has to be part of the group in order to authenticate successfully. Tokens described in
+\fIldap_filter\fR
+can be used for substitution.
+.RE
+.PP
+\fIldap_group_filter\fR (default: empty)
+.RS 4
+Specify a filter. If a filter match is found then the user is in the group. Tokens described in
+\fIldap_filter\fR
+can be used for for substitution. If
+\fIldap_group_dn\fR
+is not specified, this parameter is ignored. If
+\fIldap_group_match_method\fR
+is not filter, this parameter is ignored.
+.RE
+.PP
+\fIldap_group_match_method\fR (default: \fBattr\fR)
+.RS 4
+If
+\fBattr\fR
+is used the group match method uses
+\fIldap_group_attr\fR
+and if
+\fBfilter\fR
+is used
+\fIldap_group_search\fR
+will be used as group match method. If
+\fIldap_group_dn\fR
+is not specified, this parameter is ignored.
+.RE
+.PP
+\fIldap_group_search_base\fR (default: \fIldap_search_base\fR)
+.RS 4
+Specify a starting point for the group search: e.g.
+dc=example,dc=com. Tokens described in
+\fIldap_filter\fR
+can be used for substitution.
+.RE
+.PP
+\fIldap_group_scope\fR (default: sub)
+.RS 4
+Group search scope. Options are either
+\fBsub\fR,
+\fBone\fR
+or
+\fBbase\fR.
+.RE
+.PP
+\fIldap_password\fR (default: empty)
+.RS 4
+Specify the password for
+\fIldap_bind_dn\fR
+or
+\fIldap_id\fR
+if
+\fIldap_use_sasl\fR
+is turned on. Do not specify this parameter for the anonymous bind.
+.RE
+.PP
+\fIldap_password_attr\fR (default: \fBuserPassword\fR)
+.RS 4
+Specify what password attribute to use for password verification.
+.RE
+.PP
+\fIldap_referrals\fR (default: \fBno\fR)
+.RS 4
+Specify whether or not the client should follow referrals.
+.RE
+.PP
+\fIldap_restart\fR (default: \fByes\fR)
+.RS 4
+Specify whether or not LDAP I/O operations are automatically restarted if they abort prematurely.
+.RE
+.PP
+\fIldap_id\fR (default: empty)
+.RS 4
+Specify the authentication ID for SASL bind.
+.RE
+.PP
+\fIldap_authz_id\fR (default: empty)
+.RS 4
+Specify the proxy authorization ID for SASL bind.
+.RE
+.PP
+\fIldap_mech\fR (default: empty)
+.RS 4
+Specify the authentication mechanism for SASL bind.
+.RE
+.PP
+\fIldap_realm\fR (default: empty)
+.RS 4
+Specify the realm of authentication ID for SASL bind.
+.RE
+.PP
+\fIldap_scope\fR (default: \fBsub\fR)
+.RS 4
+Search scope. Options are either
+\fBsub\fR,
+\fBone\fR
+or
+\fBbase\fR.
+.RE
+.PP
+\fIldap_search_base\fR (default: empty)
+.RS 4
+Specify a starting point for the search: e.g.
+dc=example,dc=com. Tokens described in
+\fIldap_filter\fR
+can be used for substitution.
+.RE
+.PP
+\fIldap_servers\fR (default: \fBldap://localhost/\fR)
+.RS 4
+Specify one or more URI(s) referring to LDAP server(s), e.g.
+ldaps://10.1.1.2:999/. Multiple servers must be separated by space.
+.RE
+.PP
+\fIldap_start_tls\fR (default: \fBno\fR)
+.RS 4
+Use StartTLS extended operation. Do not use ldaps: ldap_servers when this option is turned on.
+.RE
+.PP
+\fIldap_time_limit\fR (default: \fB5\fR)
+.RS 4
+Specify a number of seconds for a search request to complete.
+.RE
+.PP
+\fIldap_timeout\fR (default: \fB5\fR)
+.RS 4
+Specify a number of seconds a search can take before timing out.
+.RE
+.PP
+\fIldap_tls_check_peer\fR (default: \fBno\fR)
+.RS 4
+Require and verify server certificate. If this option is
+\fByes\fR, you must specify
+\fIldap_tls_cacert_file\fR
+or
+\fIldap_tls_cacert_dir\fR.
+.RE
+.PP
+\fIldap_tls_cacert_file\fR (default: empty)
+.RS 4
+File containing CA (Certificate Authority) certificate(s).
+.RE
+.PP
+\fIldap_tls_cacert_dir\fR (default: empty)
+.RS 4
+Path to directory with CA (Certificate Authority) certificates.
+.RE
+.PP
+\fIldap_tls_ciphers\fR (default: \fBDEFAULT\fR)
+.RS 4
+List of SSL/TLS ciphers to allow. The format of the string is described in
+\fBciphers\fR(1).
+.RE
+.PP
+\fIldap_tls_cert\fR (default: empty)
+.RS 4
+File containing the client certificate.
+.RE
+.PP
+\fIldap_tls_key\fR (default: empty)
+.RS 4
+File containing the private client key.
+.RE
+.PP
+\fIldap_use_sasl\fR (default: \fBno\fR)
+.RS 4
+Use SASL bind instead of simple bind when connecting to the LDAP server.
+.RE
+.PP
+\fIldap_version\fR (default: \fB3\fR)
+.RS 4
+Specify the LDAP protocol version \- either
+\fB2\fR
+or
+\fB3\fR. If
+\fIldap_start_tls\fR
+and/or
+\fIldap_use_sasl\fR
+are enabled,
+\fIldap_version\fR
+will be automatically set to
+\fB3\fR.
+.RE
+.SH "SEE ALSO"
+.PP
+\fBsaslauthd\fR(8)
+.SH "AUTHOR(S)"
+.PP
+This manual is based on notes in
+\fILDAP_SASLAUTHD\fR
+from Igor Brezac.
+.PP
+.RS 4
+.nf
+Igor Brezac
+<Igor at ipass.net>
+.fi
+.RE
+.PP
+It was edited and revised for the Debian distribution because the original program does not have a manual page.
+.PP
+.RS 4
+.nf
+Patrick Ben Koetter
+<p at state\-of\-mind.de>
+.fi
+.RE
Added: cyrus-sasl-2.1/trunk/debian/doc/saslauthd.conf.5.xml
URL: http://svn.debian.org/wsvn/pkg-cyrus-sasl2/cyrus-sasl-2.1/trunk/debian/doc/saslauthd.conf.5.xml?rev=399&op=file
==============================================================================
--- cyrus-sasl-2.1/trunk/debian/doc/saslauthd.conf.5.xml (added)
+++ cyrus-sasl-2.1/trunk/debian/doc/saslauthd.conf.5.xml Wed Dec 3 22:49:32 2008
@@ -1,0 +1,611 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
+<refentry lang="en">
+ <refmeta>
+ <refentrytitle>saslauthd.conf</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>saslauthd.conf</refname>
+
+ <refpurpose>Cyrus SASL saslauthd LDAP configuration file</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>saslauthd</command>
+
+ <arg>-a ldap</arg>
+ </cmdsynopsis>
+
+ <cmdsynopsis>
+ <command>saslauthd</command>
+
+ <arg>-a ldap</arg>
+
+ <arg>-O <replaceable>/etc/saslauthd.conf</replaceable></arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsection>
+ <title>Description</title>
+
+ <para>This document describes LDAP configuration options for the Cyrus
+ SASL password verification service <command>saslauthd</command>.</para>
+
+ <para>By default, if only the authentication mechanism
+ <option>ldap</option> is specified,
+ <application><command>saslauthd</command></application> expects to find
+ LDAP configuration options in
+ <filename>/usr/local/etc/saslauthd.conf</filename>. This location can be
+ overridden if the additional command line option <option>-O</option>
+ together with the location of the configuration file is specified at
+ startup time.</para>
+
+ <para>The following are available ldap parameters. The defaults are
+ probably adequate for most installations. Only
+ <parameter><parameter>ldap_servers</parameter></parameter> may need to be
+ specified.</para>
+
+ <important>
+ <para>Do not use quotes (\"\') in the parameter values.</para>
+ </important>
+
+ <variablelist>
+ <varlistentry>
+ <term><parameter>ldap_auth_method</parameter> (default:
+ <option>bind</option>|<option>fastbind</option>)</term>
+
+ <listitem>
+ <para>The bind method uses the LDAP bind facility to verify the
+ password. The bind method is not available when
+ <parameter>ldap_use_sasl</parameter> is turned on. In that case
+ saslauthd will use fastbind.</para>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>bind</option></term>
+
+ <listitem>
+ <para><option>bind</option> is the default auth method. When
+ ldap_use_sasl is enabled, 'fastbind' is the default.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>custom</option></term>
+
+ <listitem>
+ <para>The <option>custom</option> method uses
+ <parameter>userPassword</parameter> attribute to verify the
+ password. Supported hashes: <literal>crypt</literal>,
+ <literal>md5</literal>, smd5, <literal>sha</literal> and
+ <literal>ssha</literal>. <literal>Cleartext</literal> is
+ supported as well.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>fastbind</option></term>
+
+ <listitem>
+ <para>The <option>fastbind</option> method - when
+ <parameter>ldap_use_sasl</parameter> is <option>no</option> -
+ does away with the search and an extra anonymous bind in
+ auth_bind, but makes two assumptions:</para>
+
+ <orderedlist>
+ <listitem>
+ <para>Expanding the ldap_filter expression gives the
+ user's fully-qualified DN</para>
+ </listitem>
+
+ <listitem>
+ <para>There is no cost to staying bound as a named
+ user</para>
+ </listitem>
+ </orderedlist>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>ldap_bind_dn</parameter> (default: empty)</term>
+
+ <listitem>
+ <para>Specify <literal>DN</literal> (distinguished name) to bind to
+ the LDAP directory. Do not specify this parameter for the anonymous
+ bind.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>ldap_bind_pw</parameter> (default: empty)</term>
+
+ <listitem>
+ <para>An alias for <varname>ldap_password</varname>.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>ldap_default_domain</parameter> (default:
+ empty)</term>
+
+ <listitem>
+ <para>An alias for <varname>ldap_default_realm</varname>.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>ldap_default_realm</parameter> (default:
+ empty)</term>
+
+ <listitem>
+ <para>The default realm is assigned to the <option>%r</option> token
+ when realm is not available. See <parameter>ldap_filter</parameter>
+ for more.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>ldap_deref</parameter> (default: empty)</term>
+
+ <listitem>
+ <para>Specify how aliases dereferencing is handled during search.
+ Should be one of <option>never</option>, <option>always</option>,
+ <option>search</option>, or <option>find</option> to specify that
+ aliases are never dereferenced, always dereferenced, dereferenced
+ when searching, or dereferenced only when locating the base object
+ for the search.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>ldap_filter</parameter> (default:
+ <option>uid=%u</option>)</term>
+
+ <listitem>
+ <para>Specify a filter. The following tokens can be used in the
+ filter string:</para>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>%%</option></term>
+
+ <listitem>
+ <para>This is replaced by a literal ’%’ character.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>%u</option></term>
+
+ <listitem>
+ <para><option>%u</option> is replaced by the complete user
+ string.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>%U</option></term>
+
+ <listitem>
+ <para>If the string is an address (<option>%u</option>),
+ <option>%U</option> will be replaced by the local part of that
+ address.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>%d</option></term>
+
+ <listitem>
+ <para>If the string is an address (<option>%u</option>),
+ <option>%d</option> will be replaced by the domain part of
+ that address. Otherwise it will be the same as
+ <option>%r</option>.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>%1-9</option></term>
+
+ <listitem>
+ <para>If the input key is
+ <literal>user at mail.example.com</literal>, then
+ <option>%1</option> is <literal>com</literal>,
+ <option>%2</option> is <literal>example</literal> and
+ <option>%3</option> is <literal>mail</literal>.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>%s</option></term>
+
+ <listitem>
+ <para><option>%s</option> is replaced by the complete service
+ string.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>%r</option></term>
+
+ <listitem>
+ <para><option>%r</option> is replaced by the complete realm
+ string.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>%D</option></term>
+
+ <listitem>
+ <para><option>%D</option> is replaced by the complete user DN
+ (available for group checks)</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+
+ <para>The <option>%u</option> token has to be used at minimum for
+ the filter to be useful. If <parameter>ldap_auth_method</parameter>
+ is <option>bind</option>, the filter will search for the
+ <literal>DN</literal> (distinguished name) attribute. Otherwise, the
+ search will look for the <parameter>ldap_password_attr</parameter>
+ attribute.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>ldap_group_attr</parameter> (default:
+ <option>uniqueMember</option>)</term>
+
+ <listitem>
+ <para>Specify what attribute to compare the user DN against in the
+ group. If <parameter>ldap_group_dn</parameter> is not specified,
+ this parameter is ignored. If
+ <parameter>ldap_group_match_method</parameter> is not
+ <option>attr</option>, this parameter is ignored.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>ldap_group_dn</parameter> (default: empty)</term>
+
+ <listitem>
+ <para>If specified, the user has to be part of the group in order to
+ authenticate successfully. Tokens described in
+ <parameter>ldap_filter</parameter> can be used for
+ substitution.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>ldap_group_filter</parameter> (default: empty)</term>
+
+ <listitem>
+ <para>Specify a filter. If a filter match is found then the user is
+ in the group. Tokens described in <parameter>ldap_filter</parameter>
+ can be used for for substitution. If
+ <parameter>ldap_group_dn</parameter> is not specified, this
+ parameter is ignored. If
+ <parameter>ldap_group_match_method</parameter> is not filter, this
+ parameter is ignored.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>ldap_group_match_method</parameter> (default:
+ <option>attr</option>)</term>
+
+ <listitem>
+ <para>If <option>attr</option> is used the group match method uses
+ <parameter>ldap_group_attr</parameter> and if
+ <option>filter</option> is used
+ <parameter>ldap_group_search</parameter> will be used as group match
+ method. If <parameter>ldap_group_dn</parameter> is not specified,
+ this parameter is ignored.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>ldap_group_search_base</parameter> (default:
+ <varname>ldap_search_base</varname>)</term>
+
+ <listitem>
+ <para>Specify a starting point for the group search: e.g.
+ <literal>dc=example,dc=com</literal>. Tokens described in
+ <parameter>ldap_filter</parameter> can be used for
+ substitution.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>ldap_group_scope</parameter> (default: sub)</term>
+
+ <listitem>
+ <para>Group search scope. Options are either <option>sub</option>,
+ <option>one</option> or <option>base</option>.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>ldap_password</parameter> (default: empty)</term>
+
+ <listitem>
+ <para>Specify the password for <parameter>ldap_bind_dn</parameter>
+ or <parameter>ldap_id</parameter> if
+ <parameter>ldap_use_sasl</parameter> is turned on. Do not specify
+ this parameter for the anonymous bind.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>ldap_password_attr</parameter> (default:
+ <option>userPassword</option>)</term>
+
+ <listitem>
+ <para>Specify what password attribute to use for password
+ verification.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>ldap_referrals</parameter> (default:
+ <option>no</option>)</term>
+
+ <listitem>
+ <para>Specify whether or not the client should follow
+ referrals.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>ldap_restart</parameter> (default:
+ <option>yes</option>)</term>
+
+ <listitem>
+ <para>Specify whether or not LDAP I/O operations are automatically
+ restarted if they abort prematurely.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>ldap_id</parameter> (default: empty)</term>
+
+ <listitem>
+ <para>Specify the authentication ID for SASL bind.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>ldap_authz_id</parameter> (default: empty)</term>
+
+ <listitem>
+ <para>Specify the proxy authorization ID for SASL bind.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>ldap_mech</parameter> (default: empty)</term>
+
+ <listitem>
+ <para>Specify the authentication mechanism for SASL bind.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>ldap_realm</parameter> (default: empty)</term>
+
+ <listitem>
+ <para>Specify the realm of authentication ID for SASL bind.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>ldap_scope</parameter> (default:
+ <option>sub</option>)</term>
+
+ <listitem>
+ <para>Search scope. Options are either <option>sub</option>,
+ <option>one</option> or <option>base</option>.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>ldap_search_base</parameter> (default: empty)</term>
+
+ <listitem>
+ <para>Specify a starting point for the search: e.g.
+ <literal>dc=example,dc=com</literal>. Tokens described in
+ <parameter>ldap_filter</parameter> can be used for
+ substitution.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>ldap_servers</parameter> (default:
+ <option>ldap://localhost/</option>)</term>
+
+ <listitem>
+ <para>Specify one or more URI(s) referring to LDAP server(s), e.g.
+ <literal>ldaps://10.1.1.2:999/</literal>. Multiple servers must be
+ separated by space.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>ldap_start_tls</parameter> (default:
+ <option>no</option>)</term>
+
+ <listitem>
+ <para>Use StartTLS extended operation. Do not use ldaps:
+ ldap_servers when this option is turned on.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>ldap_time_limit</parameter> (default:
+ <option>5</option>)</term>
+
+ <listitem>
+ <para>Specify a number of seconds for a search request to
+ complete.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>ldap_timeout</parameter> (default:
+ <option>5</option>)</term>
+
+ <listitem>
+ <para>Specify a number of seconds a search can take before timing
+ out.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>ldap_tls_check_peer</parameter> (default:
+ <option>no</option>)</term>
+
+ <listitem>
+ <para>Require and verify server certificate. If this option is
+ <option>yes</option>, you must specify
+ <parameter>ldap_tls_cacert_file</parameter> or
+ <parameter>ldap_tls_cacert_dir</parameter>.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>ldap_tls_cacert_file</parameter> (default:
+ empty)</term>
+
+ <listitem>
+ <para>File containing CA (Certificate Authority)
+ certificate(s).</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>ldap_tls_cacert_dir</parameter> (default:
+ empty)</term>
+
+ <listitem>
+ <para>Path to directory with CA (Certificate Authority)
+ certificates.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>ldap_tls_ciphers</parameter> (default:
+ <option>DEFAULT</option>)</term>
+
+ <listitem>
+ <para>List of SSL/TLS ciphers to allow. The format of the string is
+ described in <citerefentry>
+ <refentrytitle>ciphers</refentrytitle>
+
+ <manvolnum>1</manvolnum>
+ </citerefentry>.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>ldap_tls_cert</parameter> (default: empty)</term>
+
+ <listitem>
+ <para>File containing the client certificate.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>ldap_tls_key</parameter> (default: empty)</term>
+
+ <listitem>
+ <para>File containing the private client key.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>ldap_use_sasl</parameter> (default:
+ <option>no</option>)</term>
+
+ <listitem>
+ <para>Use SASL bind instead of simple bind when connecting to the
+ LDAP server.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><parameter>ldap_version</parameter> (default:
+ <option>3</option>)</term>
+
+ <listitem>
+ <para>Specify the LDAP protocol version - either <option>2</option>
+ or <option>3</option>. If <parameter>ldap_start_tls</parameter>
+ and/or <parameter>ldap_use_sasl</parameter> are enabled,
+ <parameter>ldap_version</parameter> will be automatically set to
+ <option>3</option>.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsection>
+
+ <refsection>
+ <title>See also</title>
+
+ <para><citerefentry>
+ <refentrytitle>saslauthd</refentrytitle>
+
+ <manvolnum>8</manvolnum>
+ </citerefentry>, Cyrus SASL password verification service</para>
+
+ <para><citerefentry>
+ <refentrytitle>saslauthd.conf</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry>, Cyrus SASL saslauthd LDAP configuration file</para>
+
+ <para><citerefentry>
+ <refentrytitle>ldapdb</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry>, Cyrus SASL auxprop plugin to access LDAP authentication
+ backends</para>
+
+ <para><citerefentry>
+ <refentrytitle>sasldb</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry>, Cyrus SASL auxprop plugin to access the sasldb
+ authentication backend</para>
+
+ <para><citerefentry>
+ <refentrytitle>sql</refentrytitle>
+
+ <manvolnum>5</manvolnum>
+ </citerefentry>, Cyrus SASL auxprop plugin to access SQL authentication
+ backends</para>
+ </refsection>
+
+ <refsection>
+ <title>Author(s)</title>
+
+ <para>This manual is based on notes in <filename>LDAP_SASLAUTHD</filename>
+ from Igor Brezac.</para>
+
+ <para><address>Igor Brezac
+<email>Igor at ipass.net</email></address></para>
+
+ <para>It was edited and revised for the Debian distribution because the
+ original program does not have a manual page.</para>
+
+ <para><address>Patrick Ben Koetter
+<email>p at state-of-mind.de</email></address></para>
+ </refsection>
+</refentry>
Added: cyrus-sasl-2.1/trunk/debian/doc/sasldb.5
URL: http://svn.debian.org/wsvn/pkg-cyrus-sasl2/cyrus-sasl-2.1/trunk/debian/doc/sasldb.5?rev=399&op=file
==============================================================================
--- cyrus-sasl-2.1/trunk/debian/doc/sasldb.5 (added)
+++ cyrus-sasl-2.1/trunk/debian/doc/sasldb.5 Wed Dec 3 22:49:32 2008
@@ -1,0 +1,104 @@
+.\" Title: sasldb
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\" Date: 11/21/2008
+.\" Manual:
+.\" Source:
+.\"
+.TH "SASLDB" "5" "11/21/2008" "" ""
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+sasldb \- Cyrus SASL auxprop plugin to access the sasldb authentication backend
+.SH "SYNOPSIS"
+.PP
+\fIauxprop_plugin\fR:
+\fBsasldb\fR
+.SH "DESCRIPTION"
+.PP
+This document describes configuration options for the Cyrus SASL auxiliary property plugin
+\fBsasldb\fR.
+.PP
+\fBsasldb\fR
+is the default and fallback plugin. It will be used if explicitly configured, but also if other mechanisms have failed to load e.g. because they haven't been configured properly.
+.PP
+This plugin reads all user data from a Berkeley database. On Debian systems the default location for this database is
+\fI/etc/sasldb2\fR.
+.PP
+Passwords are stored in plaintext format to enable usage of shared\-secret mechanisms. To protect the passwords, access has been restricted to user
+root
+and group
+sasl. An application must be member of the
+sasl
+group to conduct
+\fBsasldb\fR
+SASL authentication.
+.PP
+Use the
+\fBsaslpasswd2\fR(8)
+utility to create and modify
+\fBsasldb\fR
+users. The
+\fBsasldblistusers2\fR(8)
+command prints a list of existing
+\fBsasldb\fR
+users to
+STDOUT.
+.SH "OPTIONS"
+.PP
+The following configuration parameters are applicable in the context of the
+\fBsasldb\fR
+plugin:
+.PP
+\fIsasldb_path\fR: (default: \fI/etc/sasldb2\fR)
+.RS 4
+Specifies the path to the database when
+\fIauxprop_plugin\fR:
+\fBsasldb\fR
+is used. The default path is system dependant, but usually
+\fI/etc/sasldb2\fR.
+.RE
+.SH "EXAMPLE"
+.PP
+The following example shows a typical
+\fBsasldb\fR
+configuration. The database is located at the default location
+\fI/etc/sasldb2\fR.
+.sp
+.RS 4
+.nf
+pwcheck_method: auxprop
+auxprop_plugin: sasldb
+mech_list: plain login cram\-md5 digest\-md5
+.fi
+.RE
+.SH "SEE ALSO"
+.PP
+\fBauthdaemond\fR(5), Cyrus SASL password verification service
+.PP
+\fBldapdb\fR(5), Cyrus SASL auxprop plugin to access LDAP authentication backends
+.PP
+\fBsaslauthd\fR(8), Cyrus SASL password verification service
+.PP
+\fBsaslauthd.conf\fR(5), Cyrus SASL saslauthd LDAP configuration file
+.PP
+\fBsaslpasswd2\fR(5), set a user\(cqs SASL password
+.PP
+\fBsasldblistusers2\fR(5), list users in sasldb
+.PP
+\fBsasldb\fR(5), Cyrus SASL auxprop plugin to access the sasldb authentication backend
+.PP
+\fBsql\fR(5), Cyrus SASL auxprop plugin to access SQL authentication backends
+.SH "AUTHOR"
+.PP
+This manual was written for the Debian distribution because the original program does not have a manual page. Parts of the documentation have been taken from the Cyrus SASL's
+\fIoptions.html\fR.
+.PP
+.RS 4
+.nf
+Patrick Ben Koetter
+<p at state\-of\-mind.de>
+.fi
+.RE
Added: cyrus-sasl-2.1/trunk/debian/doc/sql.5
URL: http://svn.debian.org/wsvn/pkg-cyrus-sasl2/cyrus-sasl-2.1/trunk/debian/doc/sql.5?rev=399&op=file
==============================================================================
--- cyrus-sasl-2.1/trunk/debian/doc/sql.5 (added)
+++ cyrus-sasl-2.1/trunk/debian/doc/sql.5 Wed Dec 3 22:49:32 2008
@@ -1,0 +1,234 @@
+.\" Title: sql
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\" Date: 11/30/2008
+.\" Manual:
+.\" Source:
+.\"
+.TH "SQL" "5" "11/30/2008" "" ""
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+sql \- Cyrus SASL auxprop plugin to access sql authentication backends
+.SH "SYNOPSIS"
+.PP
+\fIauxprop_plugin\fR:
+\fBsql\fR
+.SH "DESCRIPTION"
+.PP
+This document describes configuration options for the Cyrus SASL auxiliary property plugin
+\fBsql\fR.
+.PP
+\fBsql\fR
+is a generic plugin for various SQL backends. Currently it provides access to either MySQL, PostgreSQL or SQLite databases.
+.sp
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+\fBNote\fR
+.PP
+The plugin requires that passwords are stored in plaintext format to use shared\-secret mechanisms.
+.SH "CONFIGURATION SYNTAX"
+.PP
+The following syntax is mandatory for
+\fBsql\fR
+plugin configuration:
+.TP 4
+\(bu
+SQL statements specified with
+\fIsql_select\fR,
+\fIsql_select\fR
+and
+\fIsql_select\fR
+must not be enclosed in quotes.
+.TP 4
+\(bu
+Macros, e.g.
+\fB%u\fR,
+\fB%r\fR
+and
+\fB%v\fR, specified within SQL statements must be quoted individually.
+.PP
+See
+the section called \(lqEXAMPLE\(rq
+for a valid configuration example.
+.SH "OPTIONS"
+.PP
+The following configuration parameters are applicable in the context of the
+\fBsql\fR
+plugin:
+.PP
+\fIsql_engine\fR (default: \fBmysql\fR)
+.RS 4
+Specifies the type of SQL engine to use for connections to the SQL backend. The following types are available:
+.RS 4
+.PP
+\fBmysql\fR
+.RS 4
+Enables the mysql driver for connections to a MySQL server.
+.RE
+.PP
+\fBpgsql\fR
+.RS 4
+Enables the pgsql driver for connections to a PostgreSQL server.
+.RE
+.PP
+\fBsqlite\fR
+.RS 4
+Enables the sqlite driver for connections to a SQLite server.
+.RE
+.RE
+.RE
+.PP
+\fIsql_hostnames\fR (default: empty)
+.RS 4
+A comma\-separated list of one or more SQL servers the plugin should try to connect to and query from. Specify servers separated in
+hostname[:port]
+format.
+.sp
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+\fBNote\fR
+Specify
+localhost
+when using the MySQL engine to communicate over a UNIX domain socket and
+127.0.0.1
+to attempt a connection that uses a TCP socket.
+.RE
+.PP
+\fIsql_user\fR (default empty)
+.RS 4
+Configures the username the plugin will send when it authenticates to the SQL server.
+.RE
+.PP
+\fIsql_passwd\fR (defaults: empty)
+.RS 4
+Configures the password the plugin will send when it authenticates to the SQL server.
+.RE
+.PP
+\fIsql_database\fR (default: empty)
+.RS 4
+Specifies the name of the database which contains auxiliary properties (e.g. username, realm, password etc.)
+.RE
+.PP
+\fIsql_select\fR (default: empty)
+.RS 4
+Mandatory
+SELECT
+statement used to fetch properties from the SQL database.
+.RE
+.PP
+\fIsql_insert\fR (default: empty)
+.RS 4
+Optional
+INSERT
+statement used to create properties for new users in the SQL database.
+.RE
+.PP
+\fIsql_update\fR (default: empty)
+.RS 4
+Optional
+UPDATE
+statement used to modify properties in the SQL database.
+.RE
+.PP
+\fIsql_usessl\fR (default: \fBno\fR)
+.RS 4
+Specify either
+\fByes\fR,
+\fBon\fR,
+\fB1\fR
+or
+\fBtrue\fR, and the plugin will try to establish a secure connection to the SQL server.
+.sp
+Does this really work? I remember it doesn't ...
+.RE
+.SS "Macros"
+.PP
+The sql plugin provides macros to build
+\fIsql_select\fR,
+\fIsql_select\fR
+and
+\fIsql_select\fR
+statements. They will be replaced with arguments sent from the client. The following macros exist:
+.PP
+%u
+.RS 4
+The name of the user whose properties are being selected, inserted or updated.
+.RE
+.PP
+%p
+.RS 4
+The name of the property being selected, inserted or updated. While this could technically be anything, Cyrus SASL will try
+\fIuserPassword\fR
+and
+\fIcmusaslsecret\fR\fI\fIMECHNAME\fR\fR
+(where
+\fIMECHNAME\fR
+is the name of a SASL mechanism).
+.RE
+.PP
+%r
+.RS 4
+Name of the realm to which the user belongs. This could be the KERBEROS realm, the FQDN of the computer the SASL application is running on or whatever is after the @ on a username.
+.RE
+.PP
+%v
+.RS 4
+Value of the property being stored during insert or update operations. While this could technically be anything depending on the property itself, it generally is a
+\fIuserPassword\fR.
+.RE
+.SH "EXAMPLE"
+.PP
+The following example shows a typical
+\fBsql\fR
+configuration:
+.sp
+.RS 4
+.nf
+pwcheck_method: auxprop
+auxprop_plugin: sql
+mech_list: plain login cram\-md5 digest\-md5
+sql_engine: pgsql
+sql_hostnames: 127.0.0.1, 192.0.2.1
+sql_user: username
+sql_passwd: secret
+sql_database: company
+sql_select: SELECT password FROM users WHERE user = '%u'@'%r'
+.fi
+.RE
+.SH "SEE ALSO"
+.PP
+\fBauthdaemond\fR(5), Cyrus SASL password verification service
+.PP
+\fBauxprop5, Cyrus SASL list of auxiliary property plugins\fR()
+.PP
+\fBauxprop\-ldapdb\fR(5), Cyrus SASL auxprop plugin to access LDAP authentication backends
+.PP
+\fBauxprop\-sasldb\fR(5), Cyrus SASL auxprop plugin to access the sasldb authentication backend
+.PP
+\fBauxprop\-sql\fR(5), Cyrus SASL auxprop plugin to access SQL authentication backends
+.PP
+\fBsaslauthd\fR(8), Cyrus SASL password verification service
+.PP
+\fBsaslauthd.conf\fR(5), Cyrus SASL saslauthd LDAP configuration file
+.PP
+\fBsaslpasswd2\fR(5), set a user\(cqs SASL password
+.PP
+\fBsasldblistusers2\fR(5), list users in sasldb
+.SH "AUTHOR"
+.PP
+This manual was written for the Debian distribution because the original program does not have a manual page. Parts of the documentation have been taken from the Cyrus SASL's
+\fIoptions.html\fR.
+.PP
+.RS 4
+.nf
+Patrick Ben Koetter
+<p at state\-of\-mind.de>
+.fi
+.RE
More information about the Pkg-cyrus-sasl2-commits
mailing list