1Pwcheck
2=======
3
4Auxprop
5-------
6
7Auxprop-hashed
8--------------
9
10Saslauthd
11---------
12
13**What is saslauthd?** saslauthd is a daemon which validates
14
15``ldap_servers`` - ``ldap://localhost``
16
17    Specify a space separated list of LDAP server URIs of the form **ldap[si]://[name[:port]]**. See the ``ldap.conf`` *URI* option for formatting details.
18
19``ldap_bind_dn`` - none
20
21    When simple authentication is desired, specify a distinguished name to use for a simple authenticated bind or a simple unauthenticated bind. Do not specify if an anonymous bind is desired. This option is ignored when the evaluated ``ldap_auth_method`` is ``fastbind``.
22
23``ldap_bind_pw`` - none
24
25    ``ldap_bind_pw`` is an alias for ``ldap_password``.
26
27``ldap_password`` - none
28
29    When simple authentication is desired, specify a password to perform an authenticated bind, or do not specify for an unauthenticated or anonymous bind. When SASL authentication is desired, specify a password to use where required by the underlying SASL mechanism. This option is ignored when the evaluated ``ldap_auth_method`` is ``fastbind``.
30
31``ldap_version`` - 3
32
33    Defaults to version *3*. If ``ldap_use_sasl`` or ``ldap_start_tls`` are enabled, this option will be ignored, and will conform to the default value. Version *3* **is** compatible with anonymous binds, simple authenticated binds and simple unauthenticated binds. Version *2* should only be necessary where required by the server.
34
35``ldap_search_base`` - none
36
37    When ``ldap_auth_method`` is evaluated as *bind*, ``ldap_search_base`` will be used to search for the user's distinguished name. When ``ldap_auth_method`` is *custom*, ``ldap_search_base`` will be used to find the user's ``ldap_password_attr`` attribute. When ``ldap_auth_method`` is evaluated as *fastbind*, ``ldap_search_base`` is ignored. If ``ldap_search_base`` contains substitution tokens, they will be replaced as specified in the ``ldap_filter`` token expansion rules.
38
39``ldap_filter`` - uid=%u
40
41    When ``ldap_auth_method`` is evaluated as *bind*, ``ldap_filter`` will be used to search for the user's distinguished name. When ``ldap_auth_method`` is *custom*, ``ldap_filter`` will become, after token expansion, the user's distinguished name. When ``ldap_auth_method`` is evaluated as *fastbind*, ``ldap_filter`` is ignored.
42
43    The following tokens, when contained within the ``ldap_filter`` option, will be substituted with the specified values:
44
45    ``%%``
46
47        is replaced with a literal %.
48
49    ``%u``
50
51        is replaced with the userid to be authenticated.
52
53    ``%U``
54
55        is replaced by the portion of the userid before the first @ character. If an @ character does not exist in the userid, then ``%U`` would function identically to ``%u``. For example, if the userid to be authenticated is *jsmith@example.org*, ``%u`` would be replaced by *jsmith@example.org* and ``%U`` would be replaced by *jsmith*.
56
57    ``%d``
58
59        is replaced by the portion of the userid after the first @ character. If an @ character does not exist in the userid, ``%d`` will be replaced by the ``realm`` value passed to ``saslauthd``. If no ``realm`` value was passed to saslauthd, ``%d`` will be replaced by the configured ``ldap_default_realm``, or by an empty string if ``ldap_default_realm`` is not configured.
60
61    ``%1-9``
62
63        Within a userid which contains an @ character, followed by a domain name, ``%1`` will be replaced by the top level domain, ``%2`` will be replaced by the secondary domain, ``%3`` will be replaced by the tertiary domain, up to and including ``%9`` which would be replaced by the ninth level domain. If no @ character exists in the userid, or if there is no domain name after the @ character, or if the specified hierarchical domain level does not exist, the option is replaced by the ``realm`` value passed to ``saslauthd``. Should no ``realm`` value exist in those scenarios, the option is replaced by the configured ``ldap_default_realm``, or by an empty string if ``ldap_default_realm`` has not been configured.
64
65        For example, if the userid to be authenticated is *jsmith@example.org*, ``%1`` would be replaced by *org* and ``%2`` would be replaced by *example*.
66
67    ``%s``
68
69        is replaced by the ``service`` option passed to ``saslauthd``, or by an empty string if no ``service`` option was passed.
70
71    ``%r``
72
73        is replaced by the ``realm`` option passed to ``saslauthd``. If no ``realm`` value was passed to saslauthd, ``%r`` will be replaced by the configured ``ldap_default_realm``, or by an empty string if ``ldap_default_realm`` is not configured.
74
75``ldap_password_attr`` - userPassword
76
77    When ``ldap_auth_method`` is evaluated as *custom*, ``ldap_password_attr`` specifies an attribute that will be requested and retrived. If successfully retrived, the authentication request will succeed if the ``ldap_password_attr`` attribute contains a supported password hash, and if the user submitted password matches the hash. When ``ldap_auth_method`` is *bind* or *fastbind*, ``ldap_password_attr`` is ignored.
78
79
80``ldap_group_dn`` - none
81
82    If ``ldap_group_dn`` is specified, group authorization must also succeed (in addition to the prior authentication step), for the user's authentication attempt to be successful. If ``ldap_group_dn`` contains substitution tokens, they will be replaced as specified in the ``ldap_filter`` token expansion rules. One additional token substitution is applicable to ``ldap_group_dn``:
83
84    ``%D``
85
86        is replaced by the distinguished name that was specified, or evaluated, in the authentication step. If ``ldap_use_sasl`` is enabled, the distinguished name will be resolved by performing an ldapwhoami extended operation after a successful authentication. If ``ldap_group_dn`` is specified and ``ldap_use_sasl`` is enabled, but the ldap server does not support the ldapwhoami extended operation, or if the ldapwhoami extended operation fails, then the user's authentication attempt is unsuccessful.
87
88
89``ldap_group_attr`` - uniqueMember
90
91    ``ldap_group_attr`` is ignored unless ``ldap_group_dn`` is also specified and ``ldap_group_match_method`` is *attr*. ``ldap_group_attr`` specifies an attribute which contains the authenticating identity's dinstinguished name. See the ``ldap_group_match_method`` entry for additional details.
92
93``ldap_group_filter`` - none
94
95``ldap_group_search_base`` - defaults to the evaluated ``ldap_search_base``
96
97``ldap_group_scope`` - *sub*
98
99``ldap_group_match_method`` - attr
100
101``ldap_default_realm`` - none
102
103``ldap_default_domain`` - none
104
105    ``ldap_default_domain`` is an alias for ``ldap_default_realm``.
106
107``ldap_auth_method`` - bind
108
109``ldap_timeout`` - 5
110
111``ldap_size_limit`` - 1
112
113``ldap_time_limit`` - 5
114
115``ldap_deref`` - never
116
117``ldap_referrals`` - no
118
119``ldap_restart`` - yes
120
121``ldap_scope`` - sub
122
123``ldap_use_sasl`` - no
124
125``ldap_id`` - none
126
127``ldap_sasl_authc_id`` - none
128
129``ldap_authz_id`` - none
130
131    Does not make any sense to supply an authz identity when performing sasl/fastbind.
132
133``ldap_sasl_authz_id`` - none
134
135    ``ldap_sasl_authz_id`` is an alias for ``ldap_authz_id``.
136
137``ldap_realm`` - none
138
139``ldap_sasl_realm`` -
140
141``ldap_mech`` -
142
143    It doesn't make any sense to use a mech that does not require an authname and password, when using fastbind.
144
145``ldap_sasl_mech`` -
146
147``ldap_sasl_secprops`` -
148
149``ldap_start_tls`` -
150
151``ldap_tls_check_peer`` -
152
153``ldap_tls_cacert_file`` -
154
155``ldap_tls_cacert_dir`` -
156
157``ldap_tls_ciphers`` -
158
159``ldap_tls_cert`` -
160
161``ldap_tls_key`` -
162
163``ldap_debug`` -
164
165Authdaemon
166----------
167
168Alwaystrue
169----------
170
171Auto Transition
172---------------
173
174
175