The idea of SASL is to enable clients and servers to negotiate a mechanism how to authenticate a user. The original SASL was described in RFC 2222, which has later been made obsolete by RFC 4422. Read the introduction section for an overview:

SASL can also be used to negotiate an encrypted security layer, however this has nothing to do with HTTPS, LDAPS or TLS!!! The encryption layer will become active only ***AFTER*** authentication has happened.

SASL mechanisms are named by strings, mechanism names are registered with the IANA. The current list is available here:

Debian packages

sasl2-bin installs a number of command line utilities, and also takes care to install any dependencies such as libsasl2-modules, which provides the most common SASL mechanisms LOGIN, PLAIN, ANONYMOUS, CRAM-MD5 and DIGEST-MD5.

User database

The SASL user database is stored in


This database is used by some (but not all!) SASL mechanisms.

To create a new user:

saslpasswd2 -c <username>

To list the database (including realms):