source: postlfs/security/cyrus-sasl.xml@ 1cf343a7

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;

  <!ENTITY cyrus-sasl-download-http " ">
  <!ENTITY cyrus-sasl-download-ftp  "ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-&cyrus-sasl-version;.tar.gz">
  <!ENTITY cyrus-sasl-md5sum        "a7f4e5e559a0e37b3ffc438c9456e425">
  <!ENTITY cyrus-sasl-size          "5.0 MB">
  <!ENTITY cyrus-sasl-buildsize     "30 MB">
  <!ENTITY cyrus-sasl-time          "0.5 SBU">
]>

<sect1 id="cyrus-sasl" xreflabel="Cyrus SASL-&cyrus-sasl-version;">
  <?dbhtml filename="cyrus-sasl.html"?>

  <sect1info>
    <othername>$LastChangedBy$</othername>
    <date>$Date$</date>
  </sect1info>

  <title>Cyrus SASL-&cyrus-sasl-version;</title>

  <indexterm zone="cyrus-sasl">
    <primary sortas="a-Cyrus-SASL">Cyrus SASL</primary>
  </indexterm>

  <sect2 role="package">
    <title>Introduction to Cyrus SASL</title>

    <para>
      The <application>Cyrus SASL</application> package contains a Simple
      Authentication and Security Layer, a method for adding authentication
      support to connection-based protocols. To use SASL, a protocol includes
      a command for identifying and authenticating a user to a server and for
      optionally negotiating protection of subsequent protocol interactions.
      If its use is negotiated, a security layer is inserted between the
      protocol and the connection.
    </para>

    &lfs75_checked;

    <bridgehead renderas="sect3">Package Information</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>
          Download (HTTP): <ulink url="&cyrus-sasl-download-http;"/>
        </para>
      </listitem>
      <listitem>
        <para>
          Download (FTP): <ulink url="&cyrus-sasl-download-ftp;"/>
        </para>
      </listitem>
      <listitem>
        <para>
          Download MD5 sum: &cyrus-sasl-md5sum;
        </para>
      </listitem>
      <listitem>
        <para>
          Download size: &cyrus-sasl-size;
        </para>
      </listitem>
      <listitem>
        <para>
          Estimated disk space required: &cyrus-sasl-buildsize;
        </para>
      </listitem>
      <listitem>
        <para>
          Estimated build time: &cyrus-sasl-time;
        </para>
      </listitem>
    </itemizedlist>

    <bridgehead renderas="sect3">Additional Downloads</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>
          Required patch:
          <ulink url="&patch-root;/cyrus-sasl-&cyrus-sasl-version;-fixes-1.patch"/>
       </para>
      </listitem>
    </itemizedlist>

    <bridgehead renderas="sect3">Cyrus SASL Dependencies</bridgehead>

    <bridgehead renderas="sect4">Required</bridgehead>
    <para role="required">
      <xref linkend="openssl"/>
    </para>

    <bridgehead renderas="sect4">Recommended</bridgehead>
    <para role="recommended">
      <xref linkend="db"/>
    </para>

    <bridgehead renderas="sect4">Optional</bridgehead>
    <para role="optional">
      <xref linkend="linux-pam"/>,
      <xref linkend="mitkrb"/>,
      <xref linkend="mariadb"/> or <xref linkend="mysql"/>,
      <xref linkend="openjdk"/>,
      <xref linkend="openldap"/>,
      <xref linkend="postgresql"/>,
      <xref linkend="sqlite"/>,
      <ulink url="ftp://ftp.pdc.kth.se/pub/krb/src/">krb4</ulink> and
      <ulink url="http://dmalloc.com/">Dmalloc</ulink>
    </para>

    <para condition="html" role="usernotes">User Notes:
      <ulink url="&blfs-wiki;/cyrus-sasl"/>
    </para>
  </sect2>

  <sect2 role="installation">
    <title>Installation of Cyrus SASL</title>

    <note>
      <para>
        This package does not support parallel build.
      </para>
    </note>

    <para>
      Install <application>Cyrus SASL</application> by
      running the following commands:
    </para>

<screen><userinput>patch -Np1 -i ../cyrus-sasl-&cyrus-sasl-version;-fixes-1.patch &amp;&amp;
autoreconf -fi &amp;&amp;
pushd saslauthd &amp;&amp;
autoreconf -fi &amp;&amp;
popd &amp;&amp;
./configure --prefix=/usr        \
            --sysconfdir=/etc    \
            --enable-auth-sasldb \
            --with-dbpath=/var/lib/sasl/sasldb2 \
            --with-saslauthd=/var/run/saslauthd \
            CFLAGS=-fPIC &amp;&amp;
make -j1</userinput></screen>

    <para>
      This package does not come with a test suite. If you are planning
      on using the GSSAPI authentication mechanism, it is recommended to test
      it after installing the package using the sample server and client
      programs which were built in the preceding step. Instructions for
      performing the tests can be found at
      <ulink url="&hints-root;/downloads/files/cyrus-sasl.txt"/>.
    </para>

    <para>
      Now, as the <systemitem class="username">root</systemitem> user:
    </para>

<screen role="root"><userinput>make install &amp;&amp;
install -v -dm755 /usr/share/doc/cyrus-sasl-&cyrus-sasl-version; &amp;&amp;
install -v -m644  doc/{*.{html,txt,fig},ONEWS,TODO} \
    saslauthd/LDAP_SASLAUTHD /usr/share/doc/cyrus-sasl-&cyrus-sasl-version; &amp;&amp;
install -v -dm700 /var/lib/sasl</userinput></screen>

  </sect2>

  <sect2 role="commands">
    <title>Command Explanations</title>

    <para>
      <parameter>--with-dbpath=/var/lib/sasl/sasldb2</parameter>: This
      switch forces the <command>sasldb</command> database to be created
      in <filename class="directory">/var/lib/sasl</filename> instead of
      <filename class="directory">/etc</filename>.
    </para>

    <para>
      <parameter>--with-saslauthd=/var/run/saslauthd</parameter>: This
      switch forces <command>saslauthd</command> to use the FHS compliant
      directory <filename class="directory">/var/run/saslauthd</filename>
      for variable run-time data.
    </para>

    <para>
      <parameter>CFLAGS=-fPIC</parameter>: This ensures that the package can build
      on x86_64.
    </para>

    <para>
      <parameter>--enable-auth-sasldb</parameter>: This switch enables
      SASLDB authentication backend.
    </para>

    <para>
      <parameter>--with-dblib=gdbm</parameter>: This switch forces
      <application>GDBM</application> to be used instead of
      <application>Berkeley DB</application>.
    </para>

    <para>
      <option>--with-ldap</option>: This switch enables the
      <application>OpenLDAP</application> support.
    </para>

    <para>
      <option>--enable-ldapdb</option>: This switch enables the
      LDAPDB authentication backend. There is a circular dependency with this
      parameter. See <ulink url="&blfs-wiki;/cyrus-sasl"/> for a solution to
      this problem.
    </para>

    <para>
      <option>--enable-java</option>: This switch enables compiling of the
      <application>Java</application> support libraries.
    </para>

    <para>
      <option>--enable-login</option>: This option enables unsupported
      LOGIN authentication.
    </para>

    <para>
      <option>--enable-ntlm</option>: This option enables unsupported
      NTLM authentication.
    </para>

    <para>
      <command>install -v -m644 ...</command>: These commands
      install documentation which is not installed by the
      <command>make install</command> command.
    </para>

    <para>
      <command>install -v -m700 -d /var/lib/sasl</command>: This directory
      must exist when starting <command>saslauthd</command> or using the
      sasldb plugin. If you're not going to be running the daemon or
      using the plugins, you may omit the creation of this directory.
    </para>

  </sect2>

  <sect2 role="configuration">
    <title>Configuring Cyrus SASL</title>

    <sect3 id="cyrus-sasl-config">
      <title>Config Files</title>

      <para>
        <filename>/etc/saslauthd.conf</filename>
        (for <command>saslauthd</command> LDAP configuration) and
        <filename>/etc/sasl2/Appname.conf</filename>
        (where "Appname" is the application defined name of the application)
      </para>

      <indexterm zone="cyrus-sasl cyrus-sasl-config">
        <primary sortas="e-etc-saslauthd.conf">/etc/saslauthd.conf</primary>
      </indexterm>

    </sect3>

    <sect3>
      <title>Configuration Information</title>

      <para>
        See
        <ulink url="file:///usr/share/doc/cyrus-sasl-&cyrus-sasl-version;/sysadmin.html"/>
        for information on what to include in the application configuration files.
      </para>

      <para>
        See
        <ulink url="file:///usr/share/doc/cyrus-sasl-&cyrus-sasl-version;/LDAP_SASLAUTHD"/>
        for configuring <command>saslauthd</command> with
        <application>OpenLDAP</application>.
      </para>

      <para>
        See
        <ulink url="file:///usr/share/doc/cyrus-sasl-&cyrus-sasl-version;/gssapi.html"/>
        for configuring <command>saslauthd</command> with <application>Kerberos</application>.
      </para>

    </sect3>

    <sect3 id="cyrus-sasl-init">
      <title>Init Script</title>

      <para>
        If you need to run the <command>saslauthd</command> daemon at system
        startup, install the <filename>/etc/rc.d/init.d/saslauthd</filename>
        init script included in the <xref linkend="bootscripts"/>
        package using the following command:
      </para>

      <indexterm zone="cyrus-sasl cyrus-sasl-init">
        <primary sortas="f-saslauthd">saslauthd</primary>
      </indexterm>

<screen role="root"><userinput>make install-saslauthd</userinput></screen>

      <note>
        <para>
          You'll need to modify /etc/sysconfig/saslauthd and replace the
          <option><replaceable>AUTHMECH</replaceable></option> parameter
          with your desired authentication mechanism.
        </para>
      </note>

    </sect3>

  </sect2>

  <sect2 role="content">
    <title>Contents</title>

    <segmentedlist>
      <segtitle>Installed Programs</segtitle>
      <segtitle>Installed Library</segtitle>
      <segtitle>Installed Directories</segtitle>

      <seglistitem>
        <seg>
          pluginviewer, saslauthd, sasldblistusers2, saslpasswd2 and
          testsaslauthd
        </seg>
        <seg>
          libsasl2.so
        </seg>
        <seg>
          /usr/include/sasl,
          /usr/lib/sasl2,
          /usr/share/doc/cyrus-sasl-&cyrus-sasl-version; and
          /var/lib/sasl
        </seg>
      </seglistitem>
    </segmentedlist>

    <variablelist>
      <bridgehead renderas="sect3">Short Descriptions</bridgehead>
      <?dbfo list-presentation="list"?>
      <?dbhtml list-presentation="table"?>

      <varlistentry id="pluginviewer">
        <term><command>pluginviewer</command></term>
        <listitem>
          <para>
            is used to list loadable SASL plugins and their properties.
          </para>
          <indexterm zone="cyrus-sasl pluginviewer">
            <primary sortas="b-pluginviewer">pluginviewer</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="saslauthd">
        <term><command>saslauthd</command></term>
        <listitem>
          <para>
            is the SASL authentication server.
          </para>
          <indexterm zone="cyrus-sasl saslauthd">
            <primary sortas="b-saslauthd">saslauthd</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="sasldblistusers2">
        <term><command>sasldblistusers2</command></term>
        <listitem>
          <para>
            is used to list the users in the SASL password database
            <filename>sasldb2</filename>.
          </para>
          <indexterm zone="cyrus-sasl sasldblistusers2">
            <primary sortas="b-sasldblistusers2">sasldblistusers2</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="saslpasswd2">
        <term><command>saslpasswd2</command></term>
        <listitem>
          <para>
            is used to set and delete a user's SASL password and
            mechanism specific secrets in the SASL password
            database <filename>sasldb2</filename>.
          </para>
          <indexterm zone="cyrus-sasl saslpasswd2">
            <primary sortas="b-saslpasswd2">saslpasswd2</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="testsaslauthd">
        <term><command>testsaslauthd</command></term>
        <listitem>
          <para>
            is a test utility for the SASL authentication server.
          </para>
          <indexterm zone="cyrus-sasl testsaslauthd">
            <primary sortas="b-testsaslauthd">testsaslauthd</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="libsasl2">
        <term><filename class="libraryfile">libsasl2.so</filename></term>
        <listitem>
          <para>
            is a general purpose authentication library for server
            and client applications.
          </para>
          <indexterm zone="cyrus-sasl libsasl2">
            <primary sortas="c-libsasl2">libsasl2.so</primary>
          </indexterm>
        </listitem>
      </varlistentry>

    </variablelist>

  </sect2>

</sect1>