Re: saslauthd (was Re: SASL re-entrancy crisis)

From: Ken Murchison (no email)
Date: Thu Aug 09 2001 - 15:52:44 EDT

• Next message: Jeremy Howard: "Re: cyradm and perl problem"
• Previous message: Jeremy Howard: "Re: Cyrus documentation"
• In reply to: Jeremy Howard: "saslauthd (was Re: SASL re-entrancy crisis)"
• Next in thread: Marco Colombo: "Re: SASL re-entrancy crisis (was: OpenLDAP 2.0.x + pam_ldap + cyrus-imapd-2.0.x)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Jeremy Howard wrote:
>
> Ken Murchison wrote:
> > "Kevin J. Menard, Jr." wrote:
> <re pwcheck>
> > > Hmm . . . I honestly haven't checked this out yet. I'll have to take
> > > a look at it.
> >
> > If you're serious about this, you should really check out cmu-sasl
> > v1.5.27 or the latest CVS and use saslauthd. This is the replacement
> > for pwcheck and will be mandatory in SASL v2.
> >
>
> My understanding is that pwcheck will we unaffected by the upgrade.

I was mistaken. You are correct. pwcheck is not going away, it will
coexist with saslauthd. What I was thinking about is that SASLv2 will
not have any of the non-sasldb/non-pwcheck plaintext validation
mechanisms (PAM, /etc/shadow, etc) built into the library itself. All
of these methods of validating plaintext passwords will be passed off to
saslauthd. I hope I have stated this clearly and correctly this time.
:^)

> Having said that, I don't know much about saslauthd--I just looked at it
> yesterday after Ken mentioned it's in the 1.5.27 beta. There's not a lot of
> docs for it yet--Ken or Rob, could you provide some more info?

Just the source code and man page.

> I can see
> that the saslauthd daemon itself is a daemon that you can compile additional
> authentication mechanisms into, such as PAM, getpwent, and krb5 (all
> included in the SASL distribution). But, how is the saslauthd interface in
> SASL different to the pwcheck interface?

They are very similar. saslauthd was derived from pwcheck.

> What's the difference between
> './configure --with-pwcheck=/var/state/mydaemon' and
> './configure --with-saslauthd=/var/state/mydaemon'? What is required to
> change a pwcheck daemon to work with the saslauthd interface?

Simpified view: Just strip off the socket protocol/communication junk
and add a function pointer to saslauthd's list.

> Is there any
> reason to do this for existing pwcheck daemons?

Probably not IMHO.

-- 
Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp

• Next message: Jeremy Howard: "Re: cyradm and perl problem"
• Previous message: Jeremy Howard: "Re: Cyrus documentation"
• In reply to: Jeremy Howard: "saslauthd (was Re: SASL re-entrancy crisis)"
• Next in thread: Marco Colombo: "Re: SASL re-entrancy crisis (was: OpenLDAP 2.0.x + pam_ldap + cyrus-imapd-2.0.x)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]