[ Team LiB ] [ Team LiB ]

7.6 The Simple Authentication and Security Layer SASL

The Cyrus SASL project forms the basis for several other products authentication and session encryption support, most notably the Cyrus IMAP mail server and the OpenLDAP directory server. The Cyrus Simple Authentication and Security Layer SASL project provides an extensible framework for network protocol authentication. It is more generic than PAM in that SASL supports more complex authentication exchanges, such as Kerberos mutual authentication, and also supports the negotiation of a security layer encryption for later protocol exchanges once authentication is complete. SASL is documented as Internet RFC 2222. SASL supports native Kerberos 5 authentication through the GSSAPI interface. Other authentication methods that SASL provides to applications include Kerberos 4 and standard etcpassword or etcshadow authentication optionally through a privileged daemon process for services that dont have the necessary privileges to read the system password database. In addition, SASL supports several database-backed authentication methods, including the sasldb, which uses a lightweight database such as Berkeley DB or GDBM to store usernamepassword pairs, and a mysql driver that uses the MySQL database to store authentication secrets. SASL also includes a daemon process, saslauthd, which can provide password-based Kerberos 5 support to SASL-based applications similar to that of PAM. Well cover how to build and enable this password verification method as well. The Cyrus SASL home page is located at http:asg.web.cmu.edusasl , and the latest version of the Cyrus SASL distribution available at the time this was written is 2.1.10. Well step through the process of building the Cyrus SASL library with Kerberos 5 support through the GSSAPI. The first step, of course, is to acquire the distribution and unpack it. The latest version of Cyrus SASL is available from ftp:ftp.andrew.cmu.edupubcyrus-mail . Download the distribution file cyrus-sasl-2.1.12.tar.gz at the time of this writing, uncompress, and untar it.

7.6.1 Building the Distribution

Once the distribution is unpacked, were ready to configure it for GSSAPI support. The only option required to the configure script to enable GSSAPI support is the enable-gssapi option, which takes one argument: the root directory of your installed Kerberos 5 installation. Of course, additional configure options can be appended for other authentication services that SASL supports. Note that Cyrus SASL has several external dependencies, notably a recent vintage database library such as the Berkeley DB or GNU DBM. During build testing of Cyrus SASL on a FreeBSD host, the configure process claimed to find a compatible DB engine, yet the build failed until GDBM was installed. If you encounter build failures, ensure that you have a compatible DB library installed and have provided the appropriate configure flags so that the build [ Team LiB ] [ Team LiB ]