Read Me First

This document offers a general overview of the Cyrus SASL library. The Cyrus SASL Libray provides applications with an implementation of the Simple Authentication and Security Layer (RFC2222), and several authentication mechanisms. Users interested in the "big picture" of what is provided by the library should read about Cyrus SASL Components.


The following mechanisms are included in this distribution:
  • CRAM-MD5
  • GSSAPI (MIT Kerberos 5, Heimdal Kerberos 5 or CyberSafe)
  • NTLM (requires OpenSSL libcrypto)
  • OTP (requires OpenSSL libcrypto)
  • SRP (work in progress; requires OpenSSL libcrypto)
The library also supports storing user secrets in either a hash database (e.g. Berkeley DB, gdbm, ndbm), LDAP, or in a SQL database (MySQL, Postgres). Additionally, mechanisms such as PLAIN and LOGIN (where the plaintext password is directly supplied by the client) can perform direct password verification via the saslauthd daemon. This allows the use of LDAP, PAM, and a variety of other password verification routines. The sample directory contains two programs which provide a reference for using the library, as well as making it easy to test a mechanism on the command line. See programming.php for more information.

This library is believed to be thread safe IF:

  • you supply mutex functions (see sasl_set_mutex())
  • you make no libsasl calls until sasl_client/server_init() completes
  • no libsasl calls are made after sasl_done() is begun
  • when using GSSAPI, you use a thread-safe GSS / Kerberos 5 library.


First, if you are upgrading from Cyrus SASLv1, please see upgrading.php.

Please see the file install.php for instructions on how to install this package.

Note that the library can use the environment variable SASL_PATH to locate the directory where the mechanisms are; this should be a colon-separated list of directories containing plugins. Otherwise it will default to the value of --with-plugindir as supplied to configure (which itself defaults to /usr/local/lib).


Please read macosx.php


Please read windows.php. This configuration has not been extensively tested.


There are two main ways to configure the SASL library for a given application. The first (and typically easiest) is to make use of the application's configuration files. Provided the application supports it (via the SASL_CB_GETOPT callback), please refer to that documetation for how to supply SASL options.

Alternatively, Cyrus SASL looks for configuration files in /usr/lib/sasl/Appname.conf where Appname is settable by the application (for example, Sendmail 8.10 and later set this to "Sendmail").

Configuration using the application's configuration files (via the getopt callback) will override those supplied by the SASL configuration files.

For a detailed guide on configuring libsasl, please look at sysadmin.php and options.php


  • libtool doesn't always link libraries together. In our environment, we only have static Krb5 libraries; the GSSAPI plugin should link these libraries in on platforms that support it (Solaris and Linux among them) but it does not. It also doesn't always get the runpath of libraries correct.
  • Also see our bugzilla.


For any comments/suggestions/bug reports, please contact Be sure to include the version of libsasl and your operating system; messages without this information will not be answered.

Major contributors to the libsasl code can be found in the top-level file AUTHORS. Additionally saslauthd has an AUTHORS file that lists major contributors as well.

People considering doing binary distributions that include saslauthd should be aware that the code is covered by several slightly different (but compatible) licenses, due to how it was contributed. Details can be found within the source code.

Back to the index