FreeBSD Cyrus SASL

Cyrus SASL is a method for adding authentication mechanisms for connection based protocols. It is most commonly used for providing SMTP Authentication in MTAs (Postfix, Sendmail etc) and also used as the authentication subsystem by the Cyrus mail suite.

• Package Versions

[godzilla] ~> uname -a
FreeBSD godzilla.domain.com 5.1-CURRENT FreeBSD 5.1-CURRENT #0: Mon Aug 25 13:13:16 IST 2003     root@godzilla.domain.com:/usr/obj/usr/src/sys/MYKERNEL  i386
cyrus-sasl-2.1.15
cyrus-sasl-saslauthd-2.1.15_1

• Install via "portinstall"

[godzilla] ~# portinstall security/cyrus-sasl2
[godzilla] ~# portinstall security/cyrus-sasl2-saslauthd

• pkgtools.conf

MAKE_ARGS = {
      'security/cyrus-sasl2' => 'WITH_BDB_VER=41 WITH_MYSQL=yes WITH_DEV_URANDOM=yes MAKE_KERBEROS5=yes',
}

• rc.conf (See /usr/local/etc/rc.d/saslauthd.sh)

sasl_saslauthd_enable="YES"
sasl_saslauthd_flags="-a sasldb"

• start saslauthd

[godzilla] ~# /usr/local/etc/rc.d/saslauthd.sh start
saslauthd
[godzilla] ~# ps ax|grep saslauthd
 5835  ??  Ss     0:00.00 /usr/local/sbin/saslauthd -a sasldb
 5836  ??  S      0:00.00 /usr/local/sbin/saslauthd -a sasldb
 5837  ??  S      0:00.00 /usr/local/sbin/saslauthd -a sasldb
 5838  ??  S      0:00.00 /usr/local/sbin/saslauthd -a sasldb
 5839  ??  S      0:00.00 /usr/local/sbin/saslauthd -a sasldb

Contents 1 Sasldb User Management 2 LDAP Authentication 3 Testing Authentication 4 Notes 5 ToDo

Sasldb User Management

• Use "saslpasswd2" and "sasldblistusers2"

[godzilla] ~# saslpasswd2 -c cyrus
Password: ******
Again (for verification): ******

[godzilla] ~# sasldblistusers2
cyrus@godzilla.domain.com: userPassword

LDAP Authentication

###
### /usr/local/etc/saslauthd.conf
###
ldap_servers: ldap://ldap.domain.com/
ldap_version: 3
ldap_search_base: ou=people,dc=domain,dc=com
ldap_auth_method: bind

##
## rc.conf
##
sasl_saslauthd_enable="YES"
sasl_saslauthd_flags="-a ldap"

• See /usr/local/share/doc/cyrus-sasl2/saslauthd/LDAP_SASLAUTHD and saslauthd(8)

Testing Authentication

Hmm.. where did the sample "client" and "server" go??? I think its not installed by default.

Notes

• If you are not using "saslauthd" to handle the authentication part, then sasldb2 must be readable by the process performing the authentication. For example, if you have configured Postfix to use "sasldb" as the authenticaion method via "smtpd.conf" instead of "saslauthd", sasldb2 must be readable by user/group "mail".
• The application has to be linked against cyrus-sasl2 libraries and not against the older cyrus-sasl-1.x libs. Applications which use the older libraries will use "sasldb" and not "sasldb2".

ToDo

• Document the usage of the sample SASL client/server for testing