Options for Cyrus SASL

This document contains information on what options are used by the Cyrus SASL library and bundled mechanisms:

OptionUsed ByDescriptionDefault
auto_transitionSASL Library When set to 'yes' and when using the sasldb auxprop plugin, automatically transition users to other mechs when they do a successful plaintext authenticationno
auxprop_pluginAuxiliary Property Plugin Name of auxiliary plugin to use, you may specify a space-separated list of plugin names, and the plugins will be queried in order (null) - querys all plugins
canon_user_pluginSASL Library Name of canon_user plugin to useINTERNAL
keytabGSSAPI Location of keytab file/etc/krb5.keytab (system dependant)
mech_listSASL Library Whitespace separated list of mechanisms to allow (e.g. 'plain otp'). Used to restrict the mechanisms to a subset of the installed plugins.all available
opiekeysOTP (with OPIE) Location of the opiekeys file/etc/opiekeys
otp_mdaOTP (w/o OPIE) Message digest algorithm for one-time passwords, used by sasl_setpass (possible values: 'md4', 'md5', 'sha1')md5
plugin_listSASL Library Location of Plugin list (Unsupported)none
pwcheck_methodSASL Library Whitespace separated list of mechanisms used to verify passwords, used by sasl_checkpass (possible values: 'auxprop', 'pwcheck', 'saslauthd', 'alwaystrue')auxprop
reauth_timeoutDIGEST-MD5 Length in time (in minutes) that authentication info will be cached for a fast reauth. A value of 0 will disable reauth. 0
saslauthd_pathSASL Library Path to saslauthd run directory (including the "/mux" named pipe) system dependant
sasldb_pathsasldb plugin Path to sasldb file/etc/sasldb2 (system dependant)
srp_mdaSRP Message digest algorithm for SRP calculations (possible values: 'md5', 'sha1', 'rmd160')sha1
srvtabKERBEROS_V4 Location of the srvtab file/etc/srvtab (system dependant)

Mysql auxprop options

username to login as to the MySQL server
password to use
comma separated host list
database to connect to
select statement to use
if set, the plugin will print select statement to syslog)

The select statement used in the option mysql_statement is parsed for 3 place holders %u, %r, and %p they are replaced with username, realm, and property requested respectively. For example:

    mysql_statement: select %p from user_table where username = '%u' and realm = '%r'
would send the following statement to MySQL for user "bovik" and the default realm for the machine "madoka.surf.org.uk":
     select userPassword from user_table where username = 'bovik' and realm = 'madoka.surf.org.uk'
DO NOT put quotes around the statement but do around the arguments %r, %u, etc.
the username the user logged in as
the property requested this could technically be anything but sasl authentication will try userPassword and cmusaslsecretMECHNAME (where MECHNAME is the name of a mechanism).
the realm which could be the kerbros realm, the FQDN of the computer the sasl app is on or what ever is after the @ on a username. (read the realm documentation)

All substitutions do not have to be used. For instance, "select password from auth where username = '%u'" is a valid value for "mysql_statement".

Back to the index