SASL Configuration

Cyrus SASL configuration, like PAM, is handled on a per-service basis. Every application that employs SASL for its authentication needs has its own configuration file. These configuration files are located in /usr/lib/sasl2 (or the directory where the plugins are installed) by default, and have the name of Service.conf, of which Service is the name of the application or service. For example, the configuration file for Sendmail’s SASL settings is /usr/lib/sasl2/Sendmail.conf, and the sample SASL application’s configuration file is located at /usr/lib/sasl2/sample.conf. The service name is defined by the application itself, so the exact name used by a particular application can be gleaned from the source code or the documentation of the application. Other applications mix in SASL configuration directives with the application’s own configuration file. In short, the location of the SASL configuration directives for a given application is highly application-dependent, so check the software documentation.

The SASL libraries recognize the following configuration directives. Additional authentication method-specific directives are supported, and documented on the SASL home page. Table 7-2 lists the options that are pertinent to a SASL library configured with GSSAPI support.

Table 7-2. SASL configuration directives

Option

Description

Default

keytab

Location of the Kerberos 5 keytab file for the service’s principal.

/etc/krb5.keytab

mech_list

List of the authentication mechanisms ...

Get Kerberos: The Definitive Guide now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.