Read Me First
This document offers a general overview of the SASL library.
The following mechanisms are included in
The library uses a Berkeley DB, gdbm or ndbm file on the server side
to store per-user authentication secrets. The utility
saslpasswd has been included for adding authentication
secrets to the file.
- GSSAPI (MIT Kerberos 5 or Heimdal Kerberos 5)
- NTLM (requires OpenSSL libcrypto)
- OTP (requires OpenSSL libcrypto)
- SRP (work in progress; requires OpenSSL libcrypto)
PLAIN uses the saslauthd (preferred and now standard), the pwcheck
daemon (obsolete), or an auxilliary property plugin (for example,
The sample directory contains two programs which provide a reference
for using the library, as well as making it easy to test a mechanism
on the command line. See programming.html for more information.
This library is believed to be thread safe IF:
- you supply mutex functions (see sasl_set_mutex())
- you make no libsasl calls until sasl_client/server_init() completes
- no libsasl calls are made after sasl_done() is begun
- the GSSAPI plugin requires a thread-safe GSS Kerberos 5 library.
If you are upgrading from libsasl v1, please see upgrading.html.
Please see the file install.html to install
this package. We hope it to be relatively straightforward; if you try
it on systems that we haven't, please contact us with your
The library uses the environment variable SASL_PATH to locate the
directory where the mechanisms are; this should be a colon-separated
list of directories containing plugins.
INSTALLATION ON MAC OS X
Please read macosx.html
By default, libsasl looks for configuration files in
/usr/lib/sasl/Appname.conf where Appname is settable by the
application (for example, Sendmail 8.10 and later set this to
"Sendmail"). Applications can also override this default
For a detailed guide on configuring libsasl, please look at
sysadmin.html and options.html
- There are some interoperability problems with the DIGEST-MD5 plugin.
- libtool doesn't always link libraries together. In our environment,
we only have static Krb5 libraries; the GSSAPI plugin should link
these libraries in on platforms that support it (Solaris and Linux
among them) but it does not. It also doesn't always get the runpath
of libraries correct.
- Also see the "TODO" file and our bugzilla.
UPGRADING from Cyrus SASL v1
For any comments/suggestions/bug reports, please contact email@example.com.
Be sure to include the version of libsasl and your operating system;
messages without this information will not be answered.
Major contributors to the libsasl code can be found in the top-level
Back to the index