Codebase list cyrus-sasl2 / debian/2.1.26.dfsg1-14 debian / doc / ldapdb.5.xml
debian/2.1.26.dfsg1-14

Tree @debian/2.1.26.dfsg1-14 (Download .tar.gz)

ldapdb.5.xml @debian/2.1.26.dfsg1-14raw · history · blame 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<refentry lang="en">
  <refmeta>
    <refentrytitle>ldapdb</refentrytitle>

    <manvolnum>5</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>ldapdb</refname>

    <refpurpose>auxiliary property plugin</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <para>Cyrus SASL auxprop plugin to access LDAP authentication
    backends.</para>
  </refsynopsisdiv>

  <refsection>
    <title>Description</title>

    <para>This document describes configuration options for the Cyrus SASL
    auxiliary property plugin <option>ldapdb</option>.</para>

    <para>This plugin reads all user data from an OpenLDAP server. It requires
    configuration of the <option>ldapdb</option> plugin and of the LDAP
    server. The <option>ldapdb</option> plugin must name a proxy user. The
    proxy user must (also) SASL authenticate at the LDAP server. The LDAP
    server must authorize the <option>ldapdb</option> proxy user to access the
    authenticating users <parameter>userPassword</parameter>.</para>
  </refsection>

  <refsection>
    <title>Options</title>

    <para>The following configuration parameters are applicable in the context
    of the <option>ldapdb</option> plugin:</para>

    <variablelist>
      <varlistentry>
        <term><option>ldapdb_uri</option> (default: empty)</term>

        <listitem>
          <para>Specifies a whitespace-separated list of LDAP servers
          (authentication backends). Use <option>ldapi://</option>...,
          <option>ldap://</option>... or <option>ldaps://</option>... to
          specify how the servers should be contacted.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><option>ldapdb_id</option> (default: empty)</term>

        <listitem>
          <para>Specifies the proxy user name (authentication id) who logs
          into the LDAP server in order to retrieve the authenticating users
          <parameter>userPassword</parameter>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><option>ldapdb_mech</option> (default: empty)</term>

        <listitem>
          <para>Sets the SASL mechanism the <option>ldapdb</option> plugin
          (client) should use when it SASL connects to the LDAP server.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><option>ldapdb_pw</option> (default: empty)</term>

        <listitem>
          <para>Specifies the password used by
          <parameter>ldapdb_id</parameter>. The password must be written in
          cleartext.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><option>ldapdb_rc</option> (default: empty)</term>

        <listitem>
          <para>Specifies a path to a file that contains configuration options
          to override system-wide defaults when running ldap clients (see
          also: <citerefentry>
              <refentrytitle>ldap.conf</refentrytitle>

              <manvolnum>5</manvolnum>
            </citerefentry>).</para>

          <para>The main purpose behind this option is to drop transmission of
          <parameter>ldapdb_pw</parameter> in favor of a client TLS
          certificate specified in <parameter>ldapdb_rc</parameter>, so that
          SASL/EXTERNAL may be used between the ldapdb plugin and the LDAP
          server.</para>

          <note>
            <para>This is the most optimal way to use the ldapdb plugin when
            the servers are on separate machines - the connection is encrypted
            and password transmission is not necessary because the client is
            identified by its TLS client certificate.</para>
          </note>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><option>ldapdb_starttls</option> (default: empty)</term>

        <listitem>
          <para>Enable encrypted communication using StartTLS. Valid options
          are:</para>

          <variablelist>
            <varlistentry>
              <term><option>try</option></term>

              <listitem>
                <para>StartTLS encrypted communication is attempted. If it
                fails the client communicates unencrypted.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><option>demand</option></term>

              <listitem>
                <para>StartTLS encrypted communication is required. If it
                fails the client aborts the connection.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsection>

  <refsection>
    <title>Example</title>

    <para>The following example shows a typical <option>ldapdb</option>
    configuration.</para>

    <programlisting>pwcheck_method: auxprop
auxprop_plugin: ldapdb
mech_list: PLAIN LOGIN NTLM CRAM-MD5 DIGEST-MD5
ldapdb_uri: ldap://localhost ldaps://ldap.example.com
ldapdb_id: proxyuser
ldapdb_pw: proxypass
ldapdb_mech: DIGEST-MD5</programlisting>
  </refsection>

  <refsection>
    <title>See also</title>

    <para><citerefentry>
        <refentrytitle>authdaemond</refentrytitle>

        <manvolnum>5</manvolnum>
      </citerefentry>, <citerefentry>
        <refentrytitle>ldapdb</refentrytitle>

        <manvolnum>5</manvolnum>
      </citerefentry>, <citerefentry>
        <refentrytitle>libsasl</refentrytitle>

        <manvolnum>5</manvolnum>
      </citerefentry>, <citerefentry>
        <refentrytitle>saslauthd</refentrytitle>

        <manvolnum>8</manvolnum>
      </citerefentry>, <citerefentry>
        <refentrytitle>saslauthd.conf</refentrytitle>

        <manvolnum>5</manvolnum>
      </citerefentry>, <citerefentry>
        <refentrytitle>saslpasswd2</refentrytitle>

        <manvolnum>5</manvolnum>
      </citerefentry>, <citerefentry>
        <refentrytitle>sasldblistusers2</refentrytitle>

        <manvolnum>5</manvolnum>
      </citerefentry>, <citerefentry>
        <refentrytitle>sasldb</refentrytitle>

        <manvolnum>5</manvolnum>
      </citerefentry>, <citerefentry>
        <refentrytitle>sql</refentrytitle>

        <manvolnum>5</manvolnum>
      </citerefentry></para>
  </refsection>

  <refsection>
    <title>Readme files</title>

    <para><filename>README.Debian</filename></para>
  </refsection>

  <refsection>
    <title>Author</title>

    <para>This manual was written for the Debian distribution because the
    original program does not have a manual page. Parts of the documentation
    have been taken from the Cyrus SASL's
    <filename>options.html</filename>.</para>

    <para><address>Patrick Ben Koetter
<email>p@state-of-mind.de</email></address></para>
  </refsection>
</refentry>