Pwcheck¶
Auxprop¶
Auxprop-hashed¶
Saslauthd¶
What is saslauthd? saslauthd is a daemon which validates
ldap_servers - ldap://localhost
Specify a space separated list of LDAP server URIs of the form ldap[si]://[name[:port]]. See the
ldap.confURI option for formatting details.
ldap_bind_dn - none
When simple authentication is desired, specify a distinguished name to use for a simple authenticated bind or a simple unauthenticated bind. Do not specify if an anonymous bind is desired. This option is ignored when the evaluated
ldap_auth_methodisfastbind.
ldap_bind_pw - none
ldap_bind_pwis an alias forldap_password.
ldap_password - none
When simple authentication is desired, specify a password to perform an authenticated bind, or do not specify for an unauthenticated or anonymous bind. When SASL authentication is desired, specify a password to use where required by the underlying SASL mechanism. This option is ignored when the evaluated
ldap_auth_methodisfastbind.
ldap_version - 3
Defaults to version 3. If
ldap_use_saslorldap_start_tlsare enabled, this option will be ignored, and will conform to the default value. Version 3 is compatible with anonymous binds, simple authenticated binds and simple unauthenticated binds. Version 2 should only be necessary where required by the server.
ldap_search_base - none
When
ldap_auth_methodis evaluated as bind,ldap_search_basewill be used to search for the user’s distinguished name. Whenldap_auth_methodis custom,ldap_search_basewill be used to find the user’sldap_password_attrattribute. Whenldap_auth_methodis evaluated as fastbind,ldap_search_baseis ignored. Ifldap_search_basecontains substitution tokens, they will be replaced as specified in theldap_filtertoken expansion rules.
ldap_filter - uid=%u
When
ldap_auth_methodis evaluated as bind,ldap_filterwill be used to search for the user’s distinguished name. Whenldap_auth_methodis custom,ldap_filterwill become, after token expansion, the user’s distinguished name. Whenldap_auth_methodis evaluated as fastbind,ldap_filteris ignored.The following tokens, when contained within the
ldap_filteroption, will be substituted with the specified values:
%%is replaced with a literal %.
%uis replaced with the userid to be authenticated.
%Uis replaced by the portion of the userid before the first @ character. If an @ character does not exist in the userid, then
%Uwould function identically to%u. For example, if the userid to be authenticated is jsmith@example.org,%uwould be replaced by jsmith@example.org and%Uwould be replaced by jsmith.
%dis replaced by the portion of the userid after the first @ character. If an @ character does not exist in the userid,
%dwill be replaced by therealmvalue passed tosaslauthd. If norealmvalue was passed to saslauthd,%dwill be replaced by the configuredldap_default_realm, or by an empty string ifldap_default_realmis not configured.
%1-9Within a userid which contains an @ character, followed by a domain name,
%1will be replaced by the top level domain,%2will be replaced by the secondary domain,%3will be replaced by the tertiary domain, up to and including%9which would be replaced by the ninth level domain. If no @ character exists in the userid, or if there is no domain name after the @ character, or if the specified hierarchical domain level does not exist, the option is replaced by therealmvalue passed tosaslauthd. Should norealmvalue exist in those scenarios, the option is replaced by the configuredldap_default_realm, or by an empty string ifldap_default_realmhas not been configured.For example, if the userid to be authenticated is jsmith@example.org,
%1would be replaced by org and%2would be replaced by example.
%sis replaced by the
serviceoption passed tosaslauthd, or by an empty string if noserviceoption was passed.
%ris replaced by the
realmoption passed tosaslauthd. If norealmvalue was passed to saslauthd,%rwill be replaced by the configuredldap_default_realm, or by an empty string ifldap_default_realmis not configured.
ldap_password_attr - userPassword
When
ldap_auth_methodis evaluated as custom,ldap_password_attrspecifies an attribute that will be requested and retrived. If successfully retrived, the authentication request will succeed if theldap_password_attrattribute contains a supported password hash, and if the user submitted password matches the hash. Whenldap_auth_methodis bind or fastbind,ldap_password_attris ignored.
ldap_group_dn - none
If
ldap_group_dnis specified, group authorization must also succeed (in addition to the prior authentication step), for the user’s authentication attempt to be successful. Ifldap_group_dncontains substitution tokens, they will be replaced as specified in theldap_filtertoken expansion rules. One additional token substitution is applicable toldap_group_dn:
%Dis replaced by the distinguished name that was specified, or evaluated, in the authentication step. If
ldap_use_saslis enabled, the distinguished name will be resolved by performing an ldapwhoami extended operation after a successful authentication. Ifldap_group_dnis specified andldap_use_saslis enabled, but the ldap server does not support the ldapwhoami extended operation, or if the ldapwhoami extended operation fails, then the user’s authentication attempt is unsuccessful.
ldap_group_attr - uniqueMember
ldap_group_attris ignored unlessldap_group_dnis also specified andldap_group_match_methodis attr.ldap_group_attrspecifies an attribute which contains the authenticating identity’s dinstinguished name. See theldap_group_match_methodentry for additional details.
ldap_group_filter - none
ldap_group_search_base - defaults to the evaluated ldap_search_base
ldap_group_scope - sub
ldap_group_match_method - attr
ldap_default_realm - none
ldap_default_domain - none
ldap_default_domainis an alias forldap_default_realm.
ldap_auth_method - bind
ldap_timeout - 5
ldap_size_limit - 1
ldap_time_limit - 5
ldap_deref - never
ldap_referrals - no
ldap_restart - yes
ldap_scope - sub
ldap_use_sasl - no
ldap_id - none
ldap_sasl_authc_id - none
ldap_authz_id - none
Does not make any sense to supply an authz identity when performing sasl/fastbind.
ldap_sasl_authz_id - none
ldap_sasl_authz_idis an alias forldap_authz_id.
ldap_realm - none
ldap_sasl_realm -
ldap_mech -
It doesn’t make any sense to use a mech that does not require an authname and password, when using fastbind.
ldap_sasl_mech -
ldap_sasl_secprops -
ldap_start_tls -
ldap_tls_check_peer -
ldap_tls_cacert_file -
ldap_tls_cacert_dir -
ldap_tls_ciphers -
ldap_tls_cert -
ldap_tls_key -
ldap_debug -