Apache HTTP Server Version 2.2
Apache HTTP Server Version 2.2
Available Languages: en
| Description: | User authentication using Cyrus libsasl2 password verification service |
|---|---|
| Status: | External |
| Module Identifier: | authn_sasl_module |
| Source File: | mod_authn_sasl.c |
| Compatibility: | Available in Apache 2.2 and later |
This module provides the mod_auth_basic
authentication front-end a way to authenticate users by checking credentials via the
Cyrus SASL library. This may be interesting for setups where other servers
(such as SMTP, IMAP or LDAP) already use SASL password verification services to authenticate users. The module is also useful to
authenticate users against system databases without the need to elevate Apache HTTPD's access rights to superuser privileges. See
AuthSaslPwcheckMethod for more information about this topic.
saslauthd communication socket is restricted. You might have to
add Apache HTTPD to the system group sasl (or similar) in order to be able to use the password
verification services provided by the Cyrus SASL library.
When using mod_auth_basic this module is
invoked via the
AuthBasicProvider with the sasl value. Using it with
mod_auth_digest is technically not possible.
| Description: | Sets the pwcheck_method used by libsasl2 for authentication. |
|---|---|
| Syntax: | AuthSaslPwcheckMethod method [method2] |
| Context: | directory, .htaccess |
| Override: | AuthConfig |
| Status: | Extension |
| Module: | mod_authn_sasl |
The AuthSaslPwcheckMethod directive sets the pwcheck_method used by libsasl2 for authentication.
The module supports the two methods saslauthd and auxprop. If both of them are given as parameters
the second one is used if the user could not be authenticated by the first one.
For example:
AuthSaslPwcheckMethod saslauthd auxprop
will first try to authenticate using the saslauthd method and will try auxprop if the user could not be authenticated using saslauthd. Generally using auxprop boils down to users being authenticated using the SASL database whereas saslauthd defers authentication to the SASL authentication daemon, which also ships with the libsasl2 distribution. The saslauth daemon has a number of modules of its own, which allow it to do verification of passwords in a variety of ways, including PAM, LDAP, against a Kerberos database, and so on. Since saslauthd runs with superuser privileges, this is how you would, for example, want to authenticate users against the data contained in /etc/shadow. See the documentation that comes with libsasl2 for more information about the methods (local copy).
If no AuthSaslPwcheckMethod directive is given, the authentication defaults to what
libsasl2 defaults to. At the time of writing this is the auxprop method.
| Description: | Sets the application name used by libsasl2 during authentication. |
|---|---|
| Syntax: | AuthSaslAppname appname |
| Context: | directory, .htaccess |
| Override: | AuthConfig |
| Status: | Extension |
| Module: | mod_authn_sasl |
The AuthSaslAppname directive sets the application name to be used by libsasl2 during user authentication.
Depending on the AuthSaslPwcheckMethod used this name affects the way how authentication takes place.
For example, Cyrus SASL library uses the name to load application specific configuration from the file
/usr/lib/sasl2/appname.conf, if it exists. If saslauthd is used, doing password verification via PAM,
the application name is passed on to the PAM library. Thus PAM configuration is e.g. loaded from /etc/pam.d/appname.
For example:
AuthSaslAppname webmail
will use webmail as an application name, leading to use of SASL configuration directives from the file
/usr/lib/sasl2/webmail.conf eventually and/or doing PAM authentication as specified in the file
/etc/pam.d/webmail.
If no AuthSaslAppname directive is given, the default application name http is used.
| Description: | Sets the user realm used by libsasl2 during authentication. |
|---|---|
| Syntax: | AuthSaslRealm realm |
| Context: | directory, .htaccess |
| Override: | AuthConfig |
| Status: | Extension |
| Module: | mod_authn_sasl |
The AuthSaslRealm directive sets the user realm to be used by libsasl2 during authentication.
The Cyrus SASL library supports the concept of realms. A realm is an abstract set of users and certain mechanisms authenticate
users in a certain realm. Use this directive if you need to use a realm to be able to authenticate users.
For example:
AuthSaslRealm mit.edu
will use the realm mit.edu a user must be a member of to be able to authenticate successfully.
Available Languages: en
