.\" Title: saslauthd.conf
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.73.2 <http://docbook.sf.net/>
.\" Date: 12/14/2008
.\" Manual:
.\" Source:
.\"
.TH "SASLAUTHD\&.CONF" "5" "12/14/2008" "" ""
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
saslauthd.conf \- saslauthd LDAP configuration file
.SH "SYNOPSIS"
.HP 10
\fBsaslauthd\fR [\-a\ ldap]
.HP 10
\fBsaslauthd\fR [\-a\ ldap] [\-O\ \fI/etc/saslauthd\&.conf\fR]
.SH "DESCRIPTION"
.PP
This document describes LDAP configuration options for the Cyrus SASL password verification service
\fBsaslauthd\fR\&.
.PP
By default
\fBsaslauthd\fR
searches for LDAP configuration options in
\fI/usr/local/etc/saslauthd\&.conf\fR\&. This location can be overridden if the additional command line option
\fB\-O\fR
specifies an alternative path to the configuration file\&.
.SH "SYNTAX"
.PP
Do not use quotes (\e"\e\') in the parameter values\&.
.SH "OPTIONS"
.PP
The following are available LDAP parameters\&. The defaults are probably adequate for most installations\&. Only
\fI\fIldap_servers\fR\fR
may need to be specified\&.
.PP
\fIldap_auth_method\fR (default: \fBbind\fR|\fBfastbind\fR)
.RS 4
The bind method uses the LDAP bind facility to verify the password\&. The bind method is not available when
\fIldap_use_sasl\fR
is turned on\&. In that case saslauthd will use fastbind\&.
.PP
\fBbind\fR
.RS 4
\fBbind\fR
is the default auth method\&. When ldap_use_sasl is enabled, \'fastbind\' is the default\&.
.RE
.PP
\fBcustom\fR
.RS 4
The
\fBcustom\fR
method uses
\fIuserPassword\fR
attribute to verify the password\&. Supported hashes:
crypt,
md5, smd5,
sha
and
ssha\&.
Cleartext
is supported as well\&.
.RE
.PP
\fBfastbind\fR
.RS 4
The
\fBfastbind\fR
method \- when
\fIldap_use_sasl\fR
is
\fBno\fR
\- does away with the search and an extra anonymous bind in auth_bind, but makes two assumptions:
.sp
.RS 4
\h'-04' 1.\h'+02'Expanding the ldap_filter expression gives the user\'s fully\-qualified DN
.RE
.sp
.RS 4
\h'-04' 2.\h'+02'There is no cost to staying bound as a named user
.RE
.RE
.RE
.PP
\fIldap_bind_dn\fR (default: empty)
.RS 4
Specify
DN
(distinguished name) to bind to the LDAP directory\&. Do not specify this parameter for the anonymous bind\&.
.RE
.PP
\fIldap_bind_pw\fR (default: empty)
.RS 4
An alias for
\fIldap_password\fR\&.
.RE
.PP
\fIldap_default_domain\fR (default: empty)
.RS 4
An alias for
\fIldap_default_realm\fR\&.
.RE
.PP
\fIldap_default_realm\fR (default: empty)
.RS 4
The default realm is assigned to the
\fB%r\fR
token when realm is not available\&. See
\fIldap_filter\fR
for more\&.
.RE
.PP
\fIldap_deref\fR (default: empty)
.RS 4
Specify how aliases dereferencing is handled during search\&. Should be one of
\fBnever\fR,
\fBalways\fR,
\fBsearch\fR, or
\fBfind\fR
to specify that aliases are never dereferenced, always dereferenced, dereferenced when searching, or dereferenced only when locating the base object for the search\&.
.RE
.PP
\fIldap_filter\fR (default: \fBuid=%u\fR)
.RS 4
Specify a filter\&. The following tokens can be used in the filter string:
.PP
\fB%%\fR
.RS 4
This is replaced by a literal \(cq%\(cq character\&.
.RE
.PP
\fB%u\fR
.RS 4
\fB%u\fR
is replaced by the complete user string\&.
.RE
.PP
\fB%U\fR
.RS 4
If the string is an address (\fB%u\fR),
\fB%U\fR
will be replaced by the local part of that address\&.
.RE
.PP
\fB%d\fR
.RS 4
If the string is an address (\fB%u\fR),
\fB%d\fR
will be replaced by the domain part of that address\&. Otherwise it will be the same as
\fB%r\fR\&.
.RE
.PP
\fB%1\-9\fR
.RS 4
If the input key is
user@mail\&.example\&.com, then
\fB%1\fR
is
com,
\fB%2\fR
is
example
and
\fB%3\fR
is
mail\&.
.RE
.PP
\fB%s\fR
.RS 4
\fB%s\fR
is replaced by the complete service string\&.
.RE
.PP
\fB%r\fR
.RS 4
\fB%r\fR
is replaced by the complete realm string\&.
.RE
.PP
\fB%D\fR
.RS 4
\fB%D\fR
is replaced by the complete user DN (available for group checks)
.RE
.sp
The
\fB%u\fR
token has to be used at minimum for the filter to be useful\&. If
\fIldap_auth_method\fR
is
\fBbind\fR, the filter will search for the
DN
(distinguished name) attribute\&. Otherwise, the search will look for the
\fIldap_password_attr\fR
attribute\&.
.RE
.PP
\fIldap_group_attr\fR (default: \fBuniqueMember\fR)
.RS 4
Specify what attribute to compare the user DN against in the group\&. If
\fIldap_group_dn\fR
is not specified, this parameter is ignored\&. If
\fIldap_group_match_method\fR
is not
\fBattr\fR, this parameter is ignored\&.
.RE
.PP
\fIldap_group_dn\fR (default: empty)
.RS 4
If specified, the user has to be part of the group in order to authenticate successfully\&. Tokens described in
\fIldap_filter\fR
can be used for substitution\&.
.RE
.PP
\fIldap_group_filter\fR (default: empty)
.RS 4
Specify a filter\&. If a filter match is found then the user is in the group\&. Tokens described in
\fIldap_filter\fR
can be used for for substitution\&. If
\fIldap_group_dn\fR
is not specified, this parameter is ignored\&. If
\fIldap_group_match_method\fR
is not filter, this parameter is ignored\&.
.RE
.PP
\fIldap_group_match_method\fR (default: \fBattr\fR)
.RS 4
If
\fBattr\fR
is used the group match method uses
\fIldap_group_attr\fR
and if
\fBfilter\fR
is used
\fIldap_group_search\fR
will be used as group match method\&. If
\fIldap_group_dn\fR
is not specified, this parameter is ignored\&.
.RE
.PP
\fIldap_group_search_base\fR (default: \fIldap_search_base\fR)
.RS 4
Specify a starting point for the group search: e\&.g\&.
dc=example,dc=com\&. Tokens described in
\fIldap_filter\fR
can be used for substitution\&.
.RE
.PP
\fIldap_group_scope\fR (default: sub)
.RS 4
Group search scope\&. Options are either
\fBsub\fR,
\fBone\fR
or
\fBbase\fR\&.
.RE
.PP
\fIldap_password\fR (default: empty)
.RS 4
Specify the password for
\fIldap_bind_dn\fR
or
\fIldap_id\fR
if
\fIldap_use_sasl\fR
is turned on\&. Do not specify this parameter for the anonymous bind\&.
.RE
.PP
\fIldap_password_attr\fR (default: \fBuserPassword\fR)
.RS 4
Specify what password attribute to use for password verification\&.
.RE
.PP
\fIldap_referrals\fR (default: \fBno\fR)
.RS 4
Specify whether or not the client should follow referrals\&.
.RE
.PP
\fIldap_restart\fR (default: \fByes\fR)
.RS 4
Specify whether or not LDAP I/O operations are automatically restarted if they abort prematurely\&.
.RE
.PP
\fIldap_id\fR (default: empty)
.RS 4
Specify the authentication ID for SASL bind\&.
.RE
.PP
\fIldap_authz_id\fR (default: empty)
.RS 4
Specify the proxy authorization ID for SASL bind\&.
.RE
.PP
\fIldap_mech\fR (default: empty)
.RS 4
Specify the authentication mechanism for SASL bind\&.
.RE
.PP
\fIldap_realm\fR (default: empty)
.RS 4
Specify the realm of authentication ID for SASL bind\&.
.RE
.PP
\fIldap_scope\fR (default: \fBsub\fR)
.RS 4
Search scope\&. Options are either
\fBsub\fR,
\fBone\fR
or
\fBbase\fR\&.
.RE
.PP
\fIldap_search_base\fR (default: empty)
.RS 4
Specify a starting point for the search: e\&.g\&.
dc=example,dc=com\&. Tokens described in
\fIldap_filter\fR
can be used for substitution\&.
.RE
.PP
\fIldap_servers\fR (default: \fBldap://localhost/\fR)
.RS 4
Specify one or more URI(s) referring to LDAP server(s), e\&.g\&.
ldaps://10\&.1\&.1\&.2:999/\&. Multiple servers must be separated by space\&.
.RE
.PP
\fIldap_start_tls\fR (default: \fBno\fR)
.RS 4
Use StartTLS extended operation\&. Do not use ldaps: ldap_servers when this option is turned on\&.
.RE
.PP
\fIldap_time_limit\fR (default: \fB5\fR)
.RS 4
Specify a number of seconds for a search request to complete\&.
.RE
.PP
\fIldap_timeout\fR (default: \fB5\fR)
.RS 4
Specify a number of seconds a search can take before timing out\&.
.RE
.PP
\fIldap_tls_check_peer\fR (default: \fBno\fR)
.RS 4
Require and verify server certificate\&. If this option is
\fByes\fR, you must specify
\fIldap_tls_cacert_file\fR
or
\fIldap_tls_cacert_dir\fR\&.
.RE
.PP
\fIldap_tls_cacert_file\fR (default: empty)
.RS 4
File containing CA (Certificate Authority) certificate(s)\&.
.RE
.PP
\fIldap_tls_cacert_dir\fR (default: empty)
.RS 4
Path to directory with CA (Certificate Authority) certificates\&.
.RE
.PP
\fIldap_tls_ciphers\fR (default: \fBDEFAULT\fR)
.RS 4
List of SSL/TLS ciphers to allow\&. The format of the string is described in
\fBciphers\fR(1)\&.
.RE
.PP
\fIldap_tls_cert\fR (default: empty)
.RS 4
File containing the client certificate\&.
.RE
.PP
\fIldap_tls_key\fR (default: empty)
.RS 4
File containing the private client key\&.
.RE
.PP
\fIldap_use_sasl\fR (default: \fBno\fR)
.RS 4
Use SASL bind instead of simple bind when connecting to the LDAP server\&.
.RE
.PP
\fIldap_version\fR (default: \fB3\fR)
.RS 4
Specify the LDAP protocol version \- either
\fB2\fR
or
\fB3\fR\&. If
\fIldap_start_tls\fR
and/or
\fIldap_use_sasl\fR
are enabled,
\fIldap_version\fR
will be automatically set to
\fB3\fR\&.
.RE
.SH "EXAMPLE"
.PP
.sp
.RS 4
.nf
.fi
.RE
.SH "SEE ALSO"
.PP
\fBauthdaemond\fR(5),
\fBldapdb\fR(5),
\fBlibsasl\fR(5),
\fBsaslauthd\fR(8),
\fBsaslauthd.conf\fR(5),
\fBsaslpasswd2\fR(5),
\fBsasldblistusers2\fR(5),
\fBsasldb\fR(5),
\fBsql\fR(5)
.SH "README FILES"
.PP
\fIREADME\&.Debian\fR
.SH "AUTHOR(S)"
.PP
This manual is based on notes in
\fILDAP_SASLAUTHD\fR
from Igor Brezac\&.
.PP
.RS 4
.nf
Igor Brezac
<Igor@ipass\&.net>
.fi
.RE
.PP
It was edited and revised for the Debian distribution because the original program does not have a manual page\&.
.PP
.RS 4
.nf
Patrick Ben Koetter
<p@state\-of\-mind\&.de>
.fi
.RE