1 .\" $Id: saslauthd.mdoc,v 1.18 2004/03/25 18:24:26 rjs3 Exp $
2 .\" Copyright 1997-2001 Messaging Direct Ltd. All rights reserved.
4 .\" This manpage uses the BSD mdoc manpage macros. Please don't
5 .\" downgrade it to -man. The -mdoc macros are included with
6 .\" GNU roff, and, of course, with the BSD distributions.
8 .\" To make life easier for sites that don't support -mdoc,
9 .\" please generate (and commit!) an updated pre-formatted
10 .\" manpage in saslauthd.8 whenever you change this source
11 .\" version. Only the pre-formatted manpage is installed.
18 .Nd sasl authentication server
31 is a daemon process that handles plaintext authentication requests
32 on behalf of the SASL library.
34 The server fulfills two roles: it isolates all code requiring superuser
35 privileges into a single process, and it can be used to provide
37 authentication services to clients that do not understand
38 SASL based authentication.
42 started from the system boot scripts when going to
43 multi-user mode. When running against a protected authentication
47 it must be run as the superuser.
49 Options named by lower\-case letters configure the server itself.
50 Upper\-case options control the behavior of specific authentication
51 mechanisms; their applicability to a particular authentication
52 mechanism is described in the
53 .Sx AUTHENTICATION MECHANISMS
55 .Bl -tag -width indent
59 as the authentication mechanism. (See the
60 .Sx AUTHENTICATION MECHANISMS
61 section below.) This parameter is mandatory.
63 A mechanism specific option (e.g. rimap hostname or config file path)
65 The remote host to be contacted by the
67 authentication mechanism. (Depricated, use -O instead)
71 as the pathname to the named socket to listen on for
72 connection requests. This must be an absolute pathname, and MUST NOT
73 include the trailing "/mux". Note that the default for this value
74 is "/var/state/saslauthd" (or what was specified at compile time)
75 and that this directory must exist for saslauthd to function.
79 processes for responding to authentication queries. (default: 5) A
80 value of zero will indicate that saslauthd should fork an individual
81 process for each connection. This can solve leaks that occur in some
86 as the table size of the hash table (in kilobytes)
90 as the expiration time of the authentication cache (in seconds)
92 Honour time-of-day login restrictions.
94 Show usage information
96 Enable cacheing of authentication credentials
98 Disable the use of a lock file for controlling access to accept().
100 Combine the realm with the login (with an '@' sign in between). e.g.
101 login: "foo" realm: "bar" will get passed as login: "foo@bar". Note that
102 the realm will still be passed, which may lead to unexpected behavior.
104 Print the version number and available authentication
105 mechanisms on standard error, then exit.
111 logs it's activities via
116 .Sh AUTHENTICATION MECHANISMS
119 .Qq authentication mechanisms ,
120 dependent upon the facilities provided by the underlying operating system.
121 The mechanism is selected by the
123 flag from the following list of choices:
124 .Bl -tag -width "kerberos4"
128 Authenticate using the DCE authentication environment.
132 Authenticate using the
134 library function. Typically this authenticates against the
135 local password file. See your systems
137 man page for details.
141 Authenticate against the local Kerberos 4 realm. (See the
143 section for caveats about this driver.)
147 Authenticate against the local Kerberos 5 realm.
151 Authenticate using Pluggable Authentication Modules (PAM).
155 Forward authentication requests to a remote IMAP server. This driver
156 connects to a remote IMAP server, specified using the -O flag,
157 and attempts to login (via an IMAP
159 command) using the credentials
160 supplied to the local
161 server. If the remote authentication succeeds the local connection
162 is also considered to be authenticated. The remote connection is closed
163 as soon as the tagged response from the
165 command is received from the remote
172 flag describes the remote server to forward
173 authentication requests to.
175 can be a hostname (imap.example.com) or a dotted\-quad IP address
176 (192.168.0.1). The latter is useful if the remote server is
177 multi\-homed and has network interfaces that are unreachable from
178 the local IMAP server. The remote host is contacted on the
180 service port. A non\-default port can be specified by appending
181 a slash and the port name or number
188 flag and argument are mandatory when using the
192 .Em (AIX, Irix, Linux, Solaris)
194 Authenticate against the local
195 .Qq shadow password file .
196 The exact mechanism is system dependent.
198 currently understands the
202 library routines. Some systems
209 Authenticate against the
210 SASL authentication database. Note that this is probabally not what you
211 want to be using, and is even disabled at compile-time by default.
212 If you want to use sasldb with the SASL library, you probably want to
213 use the pwcheck_method of "auxprop" along with the sasldb auxprop plugin
216 .Em (All platforms that support OpenLDAP 2.0 or higher)
218 Authenticate against an ldap server. The ldap configuration parameters are
219 read from /usr/local/etc/saslauthd.conf. The location of this file can be
220 changed with the -O parameter. See the LDAP_SASLAUTHD file included with the
221 distribution for the list of available parameters.
225 Authenticate using the Digital
227 Security Integration Architecture
229 .Qq enhanced security ) .
234 authentication driver consumes considerable resources. To perform an
235 authentication it must obtain a ticket granting ticket
237 .Sy on every authentication request.
238 The Kerberos library routines that obtain the TGT also create a
239 local ticket file, on the reasonable assumption that you will want
240 to save the TGT for use by other Kerberos applications. These ticket
241 files are unusable by
243 however there is no way not to create them. The overhead of creating
245 these ticket files can cause serious performance degradation on busy
247 was never intended to be used in this manner, anyway.)
249 .Bl -tag -width "/var/run/saslauthd/mux"
250 .It Pa /var/run/saslauthd/mux
251 The default communications socket.
252 .It Pa /usr/local/etc/saslauthd.conf
253 The default configuration file for ldap support.
261 .Xr sia_authenticate_user 3 ,