SASL

Overview

The idea of SASL is to enable clients and servers to negotiate a mechanism how to authenticate a user. The original SASL was described in RFC 2222, which has later been made obsolete by RFC 4422. Read the introduction section for an overview:

http://tools.ietf.org/html/rfc4422

SASL can also be used to negotiate an encrypted security layer, however this has nothing to do with HTTPS, LDAPS or TLS!!! The encryption layer will become active only ***AFTER*** authentication has happened.

SASL mechanisms are named by strings, mechanism names are registered with the IANA. The current list is available here:

http://www.iana.org/assignments/sasl-mechanisms


Debian packages

sasl2-bin installs a number of command line utilities, and also takes care to install any dependencies such as libsasl2-modules, which provides the most common SASL mechanisms LOGIN, PLAIN, ANONYMOUS, CRAM-MD5 and DIGEST-MD5.


User database

The SASL user database is stored in

/etc/sasldb2

This database is used by some (but not all!) SASL mechanisms.


To create a new user:

saslpasswd2 -c <username>


To list the database (including realms):

sasldblistusers2