# Pwcheck¶

## Saslauthd¶

What is saslauthd? saslauthd is a daemon which validates

ldap_servers - ldap://localhost

Specify a space separated list of LDAP server URIs of the form ldap[si]://[name[:port]]. See the ldap.conf URI option for formatting details.

ldap_bind_dn - none

When simple authentication is desired, specify a distinguished name to use for a simple authenticated bind or a simple unauthenticated bind. Do not specify if an anonymous bind is desired. This option is ignored when the evaluated ldap_auth_method is fastbind.

ldap_bind_pw - none

ldap_bind_pw is an alias for ldap_password.

ldap_password - none

When simple authentication is desired, specify a password to perform an authenticated bind, or do not specify for an unauthenticated or anonymous bind. When SASL authentication is desired, specify a password to use where required by the underlying SASL mechanism. This option is ignored when the evaluated ldap_auth_method is fastbind.

ldap_version - 3

Defaults to version 3. If ldap_use_sasl or ldap_start_tls are enabled, this option will be ignored, and will conform to the default value. Version 3 is compatible with anonymous binds, simple authenticated binds and simple unauthenticated binds. Version 2 should only be necessary where required by the server.

ldap_search_base - none

When ldap_auth_method is evaluated as bind, ldap_search_base will be used to search for the user’s distinguished name. When ldap_auth_method is custom, ldap_search_base will be used to find the user’s ldap_password_attr attribute. When ldap_auth_method is evaluated as fastbind, ldap_search_base is ignored. If ldap_search_base contains substitution tokens, they will be replaced as specified in the ldap_filter token expansion rules.

ldap_filter - uid=%u

When ldap_auth_method is evaluated as bind, ldap_filter will be used to search for the user’s distinguished name. When ldap_auth_method is custom, ldap_filter will become, after token expansion, the user’s distinguished name. When ldap_auth_method is evaluated as fastbind, ldap_filter is ignored.

The following tokens, when contained within the ldap_filter option, will be substituted with the specified values:

%%

is replaced with a literal %.

%u

is replaced with the userid to be authenticated.

%U

is replaced by the portion of the userid before the first @ character. If an @ character does not exist in the userid, then %U would function identically to %u. For example, if the userid to be authenticated is jsmith@example.org, %u would be replaced by jsmith@example.org and %U would be replaced by jsmith.

%d

is replaced by the portion of the userid after the first @ character. If an @ character does not exist in the userid, %d will be replaced by the realm value passed to saslauthd. If no realm value was passed to saslauthd, %d will be replaced by the configured ldap_default_realm, or by an empty string if ldap_default_realm is not configured.

%1-9

Within a userid which contains an @ character, followed by a domain name, %1 will be replaced by the top level domain, %2 will be replaced by the secondary domain, %3 will be replaced by the tertiary domain, up to and including %9 which would be replaced by the ninth level domain. If no @ character exists in the userid, or if there is no domain name after the @ character, or if the specified hierarchical domain level does not exist, the option is replaced by the realm value passed to saslauthd. Should no realm value exist in those scenarios, the option is replaced by the configured ldap_default_realm, or by an empty string if ldap_default_realm has not been configured.

For example, if the userid to be authenticated is jsmith@example.org, %1 would be replaced by org and %2 would be replaced by example.

%s

is replaced by the service option passed to saslauthd, or by an empty string if no service option was passed.

%r

is replaced by the realm option passed to saslauthd. If no realm value was passed to saslauthd, %r will be replaced by the configured ldap_default_realm, or by an empty string if ldap_default_realm is not configured.

ldap_password_attr - userPassword

When ldap_auth_method is evaluated as custom, ldap_password_attr specifies an attribute that will be requested and retrived. If successfully retrived, the authentication request will succeed if the ldap_password_attr attribute contains a supported password hash, and if the user submitted password matches the hash. When ldap_auth_method is bind or fastbind, ldap_password_attr is ignored.

ldap_group_dn - none

If ldap_group_dn is specified, group authorization must also succeed (in addition to the prior authentication step), for the user’s authentication attempt to be successful. If ldap_group_dn contains substitution tokens, they will be replaced as specified in the ldap_filter token expansion rules. One additional token substitution is applicable to ldap_group_dn:

%D

is replaced by the distinguished name that was specified, or evaluated, in the authentication step. If ldap_use_sasl is enabled, the distinguished name will be resolved by performing an ldapwhoami extended operation after a successful authentication. If ldap_group_dn is specified and ldap_use_sasl is enabled, but the ldap server does not support the ldapwhoami extended operation, or if the ldapwhoami extended operation fails, then the user’s authentication attempt is unsuccessful.

ldap_group_attr - uniqueMember

ldap_group_attr is ignored unless ldap_group_dn is also specified and ldap_group_match_method is attr. ldap_group_attr specifies an attribute which contains the authenticating identity’s dinstinguished name. See the ldap_group_match_method entry for additional details.

ldap_group_filter - none

ldap_group_search_base - defaults to the evaluated ldap_search_base

ldap_group_scope - sub

ldap_group_match_method - attr

ldap_default_realm - none

ldap_default_domain - none

ldap_default_domain is an alias for ldap_default_realm.

ldap_auth_method - bind

ldap_timeout - 5

ldap_size_limit - 1

ldap_time_limit - 5

ldap_deref - never

ldap_referrals - no

ldap_restart - yes

ldap_scope - sub

ldap_use_sasl - no

ldap_id - none

ldap_sasl_authc_id - none

ldap_authz_id - none

Does not make any sense to supply an authz identity when performing sasl/fastbind.

ldap_sasl_authz_id - none

ldap_sasl_authz_id is an alias for ldap_authz_id.

ldap_realm - none

ldap_sasl_realm -

ldap_mech -

It doesn’t make any sense to use a mech that does not require an authname and password, when using fastbind.

ldap_sasl_mech -

ldap_sasl_secprops -

ldap_start_tls -

ldap_tls_check_peer -

ldap_tls_cacert_file -

ldap_tls_cacert_dir -

ldap_tls_ciphers -

ldap_tls_cert -

ldap_tls_key -

ldap_debug -