1
.\" Title: saslauthd.conf
3
.\" Generator: DocBook XSL Stylesheets v1.73.2 <http://docbook.sf.net/>
8
.TH "SASLAUTHD\&.CONF" "5" "12/14/2008" "" ""
9
.\" disable hyphenation
11
.\" disable justification (adjust text to left margin only)
14
saslauthd.conf \- saslauthd LDAP configuration file
17
\fBsaslauthd\fR [\-a\ ldap]
19
\fBsaslauthd\fR [\-a\ ldap] [\-O\ \fI/etc/saslauthd\&.conf\fR]
22
This document describes LDAP configuration options for the Cyrus SASL password verification service
27
searches for LDAP configuration options in
28
\fI/usr/local/etc/saslauthd\&.conf\fR\&. This location can be overridden if the additional command line option
30
specifies an alternative path to the configuration file\&.
33
Do not use quotes (\e"\e\') in the parameter values\&.
36
The following are available LDAP parameters\&. The defaults are probably adequate for most installations\&. Only
37
\fI\fIldap_servers\fR\fR
38
may need to be specified\&.
40
\fIldap_auth_method\fR (default: \fBbind\fR|\fBfastbind\fR)
42
The bind method uses the LDAP bind facility to verify the password\&. The bind method is not available when
44
is turned on\&. In that case saslauthd will use fastbind\&.
49
is the default auth method\&. When ldap_use_sasl is enabled, \'fastbind\' is the default\&.
58
attribute to verify the password\&. Supported hashes:
65
is supported as well\&.
76
\- does away with the search and an extra anonymous bind in auth_bind, but makes two assumptions:
79
\h'-04' 1.\h'+02'Expanding the ldap_filter expression gives the user\'s fully\-qualified DN
83
\h'-04' 2.\h'+02'There is no cost to staying bound as a named user
88
\fIldap_bind_dn\fR (default: empty)
92
(distinguished name) to bind to the LDAP directory\&. Do not specify this parameter for the anonymous bind\&.
95
\fIldap_bind_pw\fR (default: empty)
98
\fIldap_password\fR\&.
101
\fIldap_default_domain\fR (default: empty)
104
\fIldap_default_realm\fR\&.
107
\fIldap_default_realm\fR (default: empty)
109
The default realm is assigned to the
111
token when realm is not available\&. See
116
\fIldap_deref\fR (default: empty)
118
Specify how aliases dereferencing is handled during search\&. Should be one of
123
to specify that aliases are never dereferenced, always dereferenced, dereferenced when searching, or dereferenced only when locating the base object for the search\&.
126
\fIldap_filter\fR (default: \fBuid=%u\fR)
128
Specify a filter\&. The following tokens can be used in the filter string:
132
This is replaced by a literal \(cq%\(cq character\&.
138
is replaced by the complete user string\&.
143
If the string is an address (\fB%u\fR),
145
will be replaced by the local part of that address\&.
150
If the string is an address (\fB%u\fR),
152
will be replaced by the domain part of that address\&. Otherwise it will be the same as
159
user@mail\&.example\&.com, then
175
is replaced by the complete service string\&.
181
is replaced by the complete realm string\&.
187
is replaced by the complete user DN (available for group checks)
192
token has to be used at minimum for the filter to be useful\&. If
193
\fIldap_auth_method\fR
195
\fBbind\fR, the filter will search for the
197
(distinguished name) attribute\&. Otherwise, the search will look for the
198
\fIldap_password_attr\fR
202
\fIldap_group_attr\fR (default: \fBuniqueMember\fR)
204
Specify what attribute to compare the user DN against in the group\&. If
206
is not specified, this parameter is ignored\&. If
207
\fIldap_group_match_method\fR
209
\fBattr\fR, this parameter is ignored\&.
212
\fIldap_group_dn\fR (default: empty)
214
If specified, the user has to be part of the group in order to authenticate successfully\&. Tokens described in
216
can be used for substitution\&.
219
\fIldap_group_filter\fR (default: empty)
221
Specify a filter\&. If a filter match is found then the user is in the group\&. Tokens described in
223
can be used for for substitution\&. If
225
is not specified, this parameter is ignored\&. If
226
\fIldap_group_match_method\fR
227
is not filter, this parameter is ignored\&.
230
\fIldap_group_match_method\fR (default: \fBattr\fR)
234
is used the group match method uses
235
\fIldap_group_attr\fR
239
\fIldap_group_search\fR
240
will be used as group match method\&. If
242
is not specified, this parameter is ignored\&.
245
\fIldap_group_search_base\fR (default: \fIldap_search_base\fR)
247
Specify a starting point for the group search: e\&.g\&.
248
dc=example,dc=com\&. Tokens described in
250
can be used for substitution\&.
253
\fIldap_group_scope\fR (default: sub)
255
Group search scope\&. Options are either
262
\fIldap_password\fR (default: empty)
264
Specify the password for
270
is turned on\&. Do not specify this parameter for the anonymous bind\&.
273
\fIldap_password_attr\fR (default: \fBuserPassword\fR)
275
Specify what password attribute to use for password verification\&.
278
\fIldap_referrals\fR (default: \fBno\fR)
280
Specify whether or not the client should follow referrals\&.
283
\fIldap_restart\fR (default: \fByes\fR)
285
Specify whether or not LDAP I/O operations are automatically restarted if they abort prematurely\&.
288
\fIldap_id\fR (default: empty)
290
Specify the authentication ID for SASL bind\&.
293
\fIldap_authz_id\fR (default: empty)
295
Specify the proxy authorization ID for SASL bind\&.
298
\fIldap_mech\fR (default: empty)
300
Specify the authentication mechanism for SASL bind\&.
303
\fIldap_realm\fR (default: empty)
305
Specify the realm of authentication ID for SASL bind\&.
308
\fIldap_scope\fR (default: \fBsub\fR)
310
Search scope\&. Options are either
317
\fIldap_search_base\fR (default: empty)
319
Specify a starting point for the search: e\&.g\&.
320
dc=example,dc=com\&. Tokens described in
322
can be used for substitution\&.
325
\fIldap_servers\fR (default: \fBldap://localhost/\fR)
327
Specify one or more URI(s) referring to LDAP server(s), e\&.g\&.
328
ldaps://10\&.1\&.1\&.2:999/\&. Multiple servers must be separated by space\&.
331
\fIldap_start_tls\fR (default: \fBno\fR)
333
Use StartTLS extended operation\&. Do not use ldaps: ldap_servers when this option is turned on\&.
336
\fIldap_time_limit\fR (default: \fB5\fR)
338
Specify a number of seconds for a search request to complete\&.
341
\fIldap_timeout\fR (default: \fB5\fR)
343
Specify a number of seconds a search can take before timing out\&.
346
\fIldap_tls_check_peer\fR (default: \fBno\fR)
348
Require and verify server certificate\&. If this option is
349
\fByes\fR, you must specify
350
\fIldap_tls_cacert_file\fR
352
\fIldap_tls_cacert_dir\fR\&.
355
\fIldap_tls_cacert_file\fR (default: empty)
357
File containing CA (Certificate Authority) certificate(s)\&.
360
\fIldap_tls_cacert_dir\fR (default: empty)
362
Path to directory with CA (Certificate Authority) certificates\&.
365
\fIldap_tls_ciphers\fR (default: \fBDEFAULT\fR)
367
List of SSL/TLS ciphers to allow\&. The format of the string is described in
371
\fIldap_tls_cert\fR (default: empty)
373
File containing the client certificate\&.
376
\fIldap_tls_key\fR (default: empty)
378
File containing the private client key\&.
381
\fIldap_use_sasl\fR (default: \fBno\fR)
383
Use SASL bind instead of simple bind when connecting to the LDAP server\&.
386
\fIldap_version\fR (default: \fB3\fR)
388
Specify the LDAP protocol version \- either
397
will be automatically set to
410
\fBauthdaemond\fR(5),
414
\fBsaslauthd.conf\fR(5),
415
\fBsaslpasswd2\fR(5),
416
\fBsasldblistusers2\fR(5),
421
\fIREADME\&.Debian\fR
424
This manual is based on notes in
435
It was edited and revised for the Debian distribution because the original program does not have a manual page\&.
440
<p@state\-of\-mind\&.de>