Dico

4.3.4 SASL Authentication

The SASL authentication is available if the server was compiled with GNU SASL.

Configuration: sasl { statements }

This block statement configures SASL authentication. The following is a short summary of its syntax and the available substatements:

sasl {
  # Disable SASL mechanisms listed in mech.
  disable-mechanism mech;
  # Enable SASL mechanisms listed in mech.
  enable-mechanism mech;
  # Set service name for GSSAPI and Kerberos.
  service name;
  # Set realm name for GSSAPI and Kerberos.
  realm name;
  # Define groups for anonymous users.
  anon-group group-list;
}

The list of available authentication mechanisms is configured using two statements:

sasl: disable-mechanism mech

Disables SASL mechanisms listed in mech, which is a list of names.

sasl: enable-mechanism mech

Enables SASL mechanisms listed in mech, which is a list of names.

The server builds a list of available mechanisms using the following algorithm. First, a list of implemented mechanisms is retrieved from the SASL library. If the enable-mechanism statement is defined, the resulting list is filtered so that only mechanisms listed in enable-mechanism remain. Further, if the disable-mechanism statement is defined, the names listed there are removed from the list.

sasl: service name

Sets the service name for GSSAPI and Kerberos mechanisms.

sasl: realm name

Sets the realm name.

sasl: anon-group list

Sets the list of user groups considered anonymous.

The database of user credentials depends on the authentication mechanism used. For GSSAPI or Kerberos it is managed by appropriate servers. Other mechanisms use the standard dicod user database configuration (see Authentication).