Apache HTTP Server Version 2.2
Apache HTTP Server Version 2.2
Available Languages: en
| Description: | User authentication using Cyrus libsasl2 password verification service |
|---|---|
| Status: | External |
| Module Identifier: | authn_sasl_module |
| Source File: | mod_authn_sasl.c |
| Compatibility: | Available in Apache 2.2 and later |
This module provides the mod_auth_basic authentication front-end a way to authenticate users by checking credentials via the Cyrus SASL library. This may be interesting for setups where other daemons (e.g. for SMTP, IMAP or LDAP) already running at a machine use SASL to authenticate users. The module is also useful to authenticate users against databases that use shadow passwords. You do not need to elevate Apache HTTPD's access rights to superuser privileges. See AuthSaslPwcheckMethod for more information about this topic.
saslauthd communication socket is restricted. You might have to add Apache HTTPD to the a certain system group (like sasl or similar) in order to be able to use the password verification services provided by the Cyrus SASL library.
When using mod_auth_basic this module is invoked with the directive AuthBasicProvider and a value of sasl. Using it with mod_auth_digest is unfortunately not possible for conceptual technical reasons.
| Description: | Sets the pwcheck_method used by libsasl2 for authentication. |
|---|---|
| Syntax: | AuthSaslPwcheckMethod method [method2] |
| Context: | directory, .htaccess |
| Override: | AuthConfig |
| Status: | Extension |
| Module: | mod_authn_sasl |
The AuthSaslPwcheckMethod directive sets the pwcheck_method used by libsasl2 for authentication.
The module supports the two methods saslauthd and auxprop. If both of them are given as parameters
the second one is used if the user could not be authenticated by the first one.
For example:
AuthSaslPwcheckMethod saslauthd auxprop
will first try to authenticate using the saslauthd method and will try auxprop if the user could not be authenticated using saslauthd. Generally using auxprop boils down to users being authenticated using the SASL database whereas saslauthd defers authentication to the SASL authentication daemon, which also ships with the libsasl2 distribution. The saslauth daemon has a number of modules of its own, which allow it to do verification of passwords in a variety of ways, including PAM, LDAP, against a Kerberos database, and so on. Since saslauthd runs with superuser privileges, this is how you would, for example, want to authenticate users against the data contained in /etc/shadow. See the documentation that comes with libsasl2 for more information about the methods (local copy).
If no AuthSaslPwcheckMethod directive is given, the authentication defaults to what
libsasl2 defaults to. At the time of writing this is the auxprop method.
| Description: | Sets the application name used by libsasl2 during authentication. |
|---|---|
| Syntax: | AuthSaslAppname appname |
| Context: | directory, .htaccess |
| Override: | AuthConfig |
| Status: | Extension |
| Module: | mod_authn_sasl |
The AuthSaslAppname directive sets the application name to be used by libsasl2 during user authentication.
Depending on the AuthSaslPwcheckMethod used this name affects the way how authentication takes place.
For example, Cyrus SASL library uses the name to load application specific configuration from the file
/usr/lib/sasl2/appname.conf, if it exists. If saslauthd is used, doing password verification via PAM,
the application name is passed on to the PAM library. Thus PAM configuration is e.g. loaded from /etc/pam.d/appname.
For example:
AuthSaslAppname webmail
will use webmail as an application name, leading to use of SASL configuration directives from the file
/usr/lib/sasl2/webmail.conf eventually and/or doing PAM authentication as specified in the file
/etc/pam.d/webmail.
If no AuthSaslAppname directive is given, the default application name http is used.
This .htaccess file will let Apache HTTPD grant access only to users wo can be authenticated against saslauthd:
AuthType Basic
AuthName "private area"
AuthBasicProvider sasl
AuthBasicAuthoritative On
AuthSaslPwcheckMethod saslauthd
Require valid-user
Available Languages: en
