SASL

From HerzbubeWiki
Jump to: navigation, search

Overview

The idea of SASL is to enable clients and servers to negotiate a mechanism how to authenticate a user. The original SASL was described in RFC 2222, which has later been made obsolete by RFC 4422. Read the introduction section for an overview: 

http://tools.ietf.org/html/rfc4422

SASL can also be used to negotiate an encrypted security layer, however this has nothing to do with HTTPS, LDAPS or TLS!!! The encryption layer will become active only ***AFTER*** authentication has happened.

SASL mechanisms are named by strings, mechanism names are registered with the IANA. The current list is available here: 

http://www.iana.org/assignments/sasl-mechanisms


Debian packages

sasl2-bin installs a number of command line utilities, and also takes care to install any dependencies such as libsasl2-modules, which provides the most common SASL mechanisms LOGIN, PLAIN, ANONYMOUS, CRAM-MD5 and DIGEST-MD5.


User database

The SASL user database is stored in 

/etc/sasldb2

This database is used by some (but not all!) SASL mechanisms.


To create a new user: 

saslpasswd2 -c <username>


To list the database (including realms): 

sasldblistusers2
Retrieved from "https://wiki.herzbube.ch/index.php?title=SASL&oldid=5588"