saslauthd: support several authentication methods

[Dan White]

On 29/12/09 21:51 +0100, Patrick Ben Koetter wrote:
>* Dan White <dwhite at olp.net>:
>> On 29/12/09 11:08 +0100, Patrick Ben Koetter wrote:
>> >My current workload is high. I need to revise "The book of Postfix" for
>> >Postfix 2.7 and I will meet Alexey Melnikov (Cyrus SASL maintainer) end of
>> >January to create and add documentation upstream.
>> >
>> >p at rick
>> 
>> Patrick,
>> 
>> Can you post a link or bug number? I'll try to take a look at them as well.
>
>Thanks. Everything I have written so far resides in the repository below:
>
>  pkg-cyrus-sasl2/cyrus-sasl-2.1/trunk/debian/doc

Patrick,

Looks great! Here are some comments for your consideration.

In libsasl.5, the warning about ldapdb not applying to auto_transition is
no longer correct. The ldapdb auxprop does support the store function (see
ldapdb_auxprop_store), and does work with auto_transition.

In libsasl.5 under 'auxprop_plugin', you have 'A whitespace-separated list
of one or more auxiliary plugins used if the pwcheck_method parameter
specifies auxprop as an option.'

This is partially true. The auxprop plugins will be used for the
PLAIN/LOGIN mechanisms if the pwcheck_method parameter includes auxprop as
an option. However, auxprop(s) will be used regardless of the pwcheck_method
setting, when authenticating DIGEST-MD5/CRAM-MD5/OTP/SRP. They will also be
used when auto_transition is enabled.

I have a difference with how the following options are documented in
options.html. I believe the following to be more accurate:

authdaemond_path - On Debian, the default is /var/run/courier/authdaemon/socket

auxprop_plugin - The default is to use all initialized auxprop plugins.

mech_list - The default is to use (offer) all initialized authentication
mechanisms.

saslauthd_path - On Debian, the default is /var/run/saslauthd/mux

The following options (as of 2.1.24 rc1) are not documented yet in your man
pages:

canon_user_plugin
keytab
ldapdb_canon_attr
ntlm_server
ntlm_v2
opiekeys
otp_mda
plugin_list
reauth_timeout
srp_mda
srvtab

You might want to include a brief discussion of user canonicalization
plugins in libsasl.5 (including the canon_user_plugin option). As of 2.1.24
rc1, 'ldapdb' is a supported parameter for that option.

In ldapdb.5:

States that "The LDAP server must authorize the ldapdb proxy user to access
the authenticating users userPassword and "... retrieve the authenticating
users userPassword". The sasl library may also retrieve or update these
parameters:

cmusaslsecretOTP
cmusaslsecretSRP

This isn't ldapdb specific, and should be true of all auxprop plugins. OTP
I've used. SRP I haven't, so I can't personally vouch for cmusaslsecretSRP.

ldapdb_uri - has no default and is mandatory for ldapdb initialization (as
either an auxprop or canon_user plugin).

ldapdb_mech - by default will use the strongest mechanism (as determined by
the local sasl library) offered by the LDAP server.

ldapdb_canon_attr - new in 2.1.24 rc1. From options.html: "Use the value of
the specified attribute as the user's canonical name. The attribute will be
looked up in the user's LDAP entry. This setting must be configured in
order to use LDAPDB as a canonuser plugin."

I did not take a close look at saslauthd.conf.5 or sql.5 since I have not
used either.

-- 
Dan White