Differences

This shows you the differences between two versions of the page.

doc:cyrus_sasl [2010/03/05 12:25]
Matthew Wild 		doc:cyrus_sasl [2010/09/01 20:14] (current)
Matthew Wild
Line 21: Line 21:
Configuring Cyrus SASL itself is currently beyond the scope of this documentation. If you feel you could contribute a simple how-to, or know the link of a good one to add below then [[:discuss|let us know]] :-) Configuring Cyrus SASL itself is currently beyond the scope of this documentation. If you feel you could contribute a simple how-to, or know the link of a good one to add below then [[:discuss|let us know]] :-)
 +
 +Prosody's Cyrus SASL-related options:
 +^ Option ^ Default ^ Description ^
 +|cyrus_service_name|xmpp|The service name to pass to Cyrus SASL.|
 +|cyrus_service_realm|(auto)|The realm to pass to Cyrus SASL, the virtual host the user is signing into if not specified.|
 +|cyrus_require_provisioning|false|If true then Prosody requires user accounts to exist in Prosody, even if successfully authenticated via SASL|
 +|cyrus_application_name|prosody|The application name to pass to Cyrus SASL. Determines the Cyrus SASL configuration file name.|
 +
 +==== Troubleshooting ====
 +=== Permissions ===
 +One of the most common issues is Prosody being unable to access the saslauthd socket (this is obviously only an issue if you are using the saslauthd daemon), used to communicate with the authentication daemon. An example error caused by this would be:
 +
 +   Got SASL error condition -1: Password verification failed
 +
 +This can be confirmed by trying testsaslauthd as root and then as the user prosody runs as (typically 'prosody'); the former should succeed and the latter should fail.
 +
 +The solution is to make sure that prosody can access the socket (typically in /var/run/saslauthd/) by adding the 'prosody' user to the 'sasl' group (or otherwise ensuring that the prosody user has filesystem permissions to access the socket).
 +
 +=== Cyrus SASL Configuration file ===
 +Cyrus SASL needs a configuration file in order to know where to look for user credentials.  For Prosody, the file will be named prosody.conf by default.  Its location varies by OS and distribution; refer to the table below or your local system documentation for where it should go.
 +
 +^ Location   ^ Platforms         ^
 +| /etc/sasl  | Debian and Ubuntu |
 +| /etc/sasl2 | Arch, RHEL/CentOS |
 +
 +The contents of the configuration file depend on what you want to authenticate against.  If you want to authenticate against local accounts, you'll want to set up saslauthd (the configuration of saslauthd varies from system to system), and your prosody.conf will look like this:
 +  pwcheck_method: saslauthd
 +  mech_list: PLAIN
 +
 +If using saslauthd, you must specify only PLAIN in the mech_list, as it only supports plaintext authentication methods.
==== Other references ==== ==== Other references ====
  * [[http://blog.marc-seeger.de/2009/12/30/Setting_up_prosody_to_authenticate_against_LDAP|Setting up Prosody to authenticate against LDAP (blog post)]]   * [[http://blog.marc-seeger.de/2009/12/30/Setting_up_prosody_to_authenticate_against_LDAP|Setting up Prosody to authenticate against LDAP (blog post)]]
 +    * This post uses xmpp.conf, but the name is now prosody.conf (see cyrus_application_name above)
  * [[http://www.arschkrebs.de/slides/surviving_cyrus_sasl-handout.pdf|Surviving Cyrus SASL (PDF)]] [[http://docs.google.com/viewer?url=http%3A%2F%2Fwww.arschkrebs.de%2Fslides%2Fsurviving_cyrus_sasl-handout.pdf|(view)]]   * [[http://www.arschkrebs.de/slides/surviving_cyrus_sasl-handout.pdf|Surviving Cyrus SASL (PDF)]] [[http://docs.google.com/viewer?url=http%3A%2F%2Fwww.arschkrebs.de%2Fslides%2Fsurviving_cyrus_sasl-handout.pdf|(view)]]
 +  * [[http://cvs.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/libsasl/include/sasl.h#186|Cyrus SASL error codes]]
 
doc/cyrus_sasl.1267791943.txt.gz · Last modified: 2010/03/05 12:25 by Matthew Wild