Penguin

Differences between current version and revision by previous author of SASLNotes.

Other diffs: Previous Major Revision, Previous Revision, or view the Annotated Edit History

Newer page: version 5 Last edited on Thursday, July 20, 2006 9:21:32 pm by MattBrown
Older page: version 4 Last edited on Monday, November 29, 2004 1:38:51 pm by AristotlePagaltzis Revert
@@ -49,13 +49,13 @@
 [SASL] stores passwords in /etc/sasldb and/or /etc/sasldb2 by default. Why it doesn't it do it somewhere in /var like it should is anyone's guess. However this means that /etc will have to be writable. Passwords are stored in these files __in plain text__, so make sure your permissions on them are correct. You can disable this by providing the -n parameter to saslpasswd2. You have been warned. 
  
 ---- 
  
-[SASL] has the concepts of realms. A "realm" is authentication mechanism dependant, but the general idea is that it works like a kerberos realm. By default you'll be using the realm which is the same as your hostname. If you're authenticating against a different host, make sure your realm is right or it isn't going to work. 
+[SASL] has the concepts of realms. A "realm" is authentication mechanism dependant, but the general idea is that it works like a kerberos realm. By default you'll be using the realm which is the same as your hostname. If you're authenticating against a different host, make sure your realm is right or it isn't going to work. If you're using saslauthd with something like [Cyrus] doing virtual hosting you'll almost certainly need to start saslauthd with the ''-r'' argument to tell it to pass the full username (including the realm) through to the backend (eg. PAM)  
  
 ---- 
  
 [SASL] allows one user to authenticate on behalf of another user. I have no idea why on earth it supports that or why you'd practically want to use it, but it does support it. It calls this an authorization identity. 
  
 ---- 
  
 [SASL] sounds like the only reason you'd even consider it is if you're using Kerberos, although, in the case of Kerberos, it sounds like it will work really well. [YMMV]