To enable SASL authentication via Cyrus SASL (saslauthd) service, do the following:
1.Configure and start Cyrus SASL (saslauthd) service.
2.Configure Dr.Web MailD to use Cyrus SASL (the settings are specified in the [SASL] section and the [Cyrus-SASL] section):
oEnable SASL authentication and use of cyrus driver:
Use = yes
Driver = cyrus
oSpecify the path to the libsasl library as the Lib parameter value
oSpecify the path to the configuration file that manages authentication via saslauthd service as the Path parameter value; for example: /etc/sasl2/maild (without the .conf extension). This file must be located in the directory where saslauthd searches for configuration.
|
The directory used by Cyrus SASL to find the configuration file depends on the Cyrus SASL version and OS distribution. •Cyrus SASL version 2.x searches for the file in /usr/lib/sasl2/ directory •Cyrus SASL version 2.1.22 and newer also searches for the file in /etc/sasl2/ directory Cyrus SASL of any version starts file search from the /usr/lib/sasl2/ directory. If the configuration file is found in this directory, the search stops. |
3.Create the authentication configuration file (in the given example – /etc/sasl2/maild.conf) and specify required parameters. The file structure is as follows: <parameter>: value pairs specified one per line. If the parameter can have several values, they must be separated by white spaces. The following parameters are mandatory:
opwcheck_method - password authentication method. The name of a module, used for authentication, must be specified here. Allowed values are:
Value |
Authentication source |
|---|---|
saslauthd |
saslauthd daemon |
auxprop |
An auxiliary module which retrieves external data storages (databases, LDAP) for authentication data retrieving |
omech_list - List of authentication mechanisms to be used. Allowed values are plain, login, cram-md5, digest-md5 and ntlm.
Note that for saslauthd only plain and login mechanisms can be used.
The saslauthd daemon can retrieve authentication data from the system file /etc/shadow, also it can use PAM and IMAP server data. For details on how to configure saslauthd to use a necessary data source, refer to Cyrus SASL documentation.
oWhen required to use data stored in a database or LDAP, set the pwcheck_method parameter value to authprop and specify the data source as the auxprop_plugin parameter value. The following values are allowed:
Plug-in |
Used data source |
|---|---|
sasldb |
sasldb database (Berkeley DB for Cyrus SASL) |
sql |
MySQL, PostgreSQL and SQLite relational DBMS |
ldapdb |
LDAP |
If you set the value to sasldb, specify the path to the used database as the sasldb_path parameter value. If not specified, the default path /etc/sasldb2 is used.
If you set the value to sql, configure the following parameters:
Parameter |
Description |
|---|---|
sql_engine |
Defines the used DBMS. Allowed values: •mysql - MySQL; •pgsql - PostgreSQL; •sqlite - SQLite. |
sql_hostnames |
Defines the address for DBMS connection (hostname or hostname:port). When several DBMS servers are used, specify several addresses, separated by commas. Note: For MySQL DBMS, specify the "localhost" value to connect via the UNIX socket, or specify the IP address 127.0.0.1 to connect via the TCP socket |
sql_user |
Defines the username for database connection |
sql_passwd |
Defines the user password |
sql_database |
Defines the database name |
sql_select |
Defines the SELECT SQL statement used for retrieving user password as plain text. Important note: Do not enclose the SQL statement in quotes. To specify a macro (see below), use a single quotation character ('). For SQL statements, the following macros can be used (they will be replaced with the corresponding data received from the client): •%u - Username. •%r - Realm (domain) to which the user belongs. It can be either KERBEROS realm, or FQDN of the host where SASL application is launched, or email domain (that is, part of an email address following the at sign "@") |
If you set the value to ldapdb, configure the following parameters of LDAP usage:
Parameter |
Description |
|---|---|
ldapdb_uri |
LDAP URI to be used. You can specify the following prefixes: •ldapi:// connecting via the UNIX socket •ldap:// connecting via the TCP connection •ldaps:// establish a secured TCP connection (TLS is used) |
ldapdb_id |
Login for authentication on the LDAP server (proxy authentication) |
ldapdb_pw |
Password (as plain text) for authentication on the LDAP server (proxy authentication) |
ldapdb_mech |
Authentication mechanism used by LDAP server |
ldapdb_rc (optional) |
Path to the file containing personal settings of local LDAP client (libldap). For example, in this file it is possible to define the client TLS certificate used for secured connection. |
ldapdb_starttls (optional) |
TLS usage policy. Two values are allowed – try and demand. When try value is specified, the LDAP client module tries to establish a secured connection and if this attempt fails, switches to unsecured mode. When demand value is specified and a secured connection cannot be established, connection to LDAP server is refused. |
Examples:
1. The simplest configuration (saslauthd is used):
pwcheck_method: saslauthd
mech_list: plain login
2. Using sasldb datasource:
pwcheck_method: authprop
auxprop_plugin: sasldb
mech_list: plain login cram-md5
sasldb_path: /etc/sasldb2
3. Using PoslgreSQL database:
pwcheck_method: auxprop
auxprop_plugin: sql
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM
sql_engine: pgsql
sql_hostnames: 127.0.0.1, 192.0.2.1
sql_user: username
sql_passwd: secret
sql_database: dbname
sql_select: SELECT password FROM users WHERE user = '%u@%r'
Note that it is not always necessary to create an authentication configuration file for Cyrus SASL. If such a file is not created, default authentication settings and default authentication data source are used.