Upgrading from Cyrus SASLv1 to Cyrus SASLv2

This document covers issues with upgrading from SASLv1 to SASLv2. To upgrade:

Backwards Compatibility

Cyrus SASLv2 is completely incompatible with applications that use Cyrus SASLv1. This means that applications are unable to simultaneously link both versions of the library, and developers are encouraged to instead develop or upgrade their applications to link against the new libsasl.

Likewise, the format for the sasldb database has been completely revamped. See here for a discussion of the relevant upgrade issues related to sasldb. All new passwords stored in the sasldb database will be in plaintext, meaning that a compromised sasldb will compromise all services with the same passwords. (This situation isn't significantly worse, cryptographicly speaking, than the old method and allows the database to be easy to transition to another format, when the need arises.) Mechanisms requiring a more secure password database backend (e.g. SRP) should implement their own or use alternate property names within sasldb.

Coexistence with SASLv1

The two library versions and the associated utilities should be able to coexist on the same system. The man pages will be unable to coexist (but luckily the new manpages are much better!). The libsasl v2-specific utilities have had a "2" appended to their name for this purpose (e.g. saslpasswd2, sasldblistusers2). The new-style sasldb now defaults to the name /etc/sasldb2, but this is configurable.

Database Upgrades

While there does not seem to be any conflict with the keys stored in the database, it is not recommended for both versions of the library to use the same database file. Included in the utils directory is a program called dbconverter-2 which will allow you to convert from the old-format database to the new format. If you continue to run applications that rely on Cyrus SASLv2 the databases will not be kept in sync by any automatic means.

Back to the index