SASL Options

The behavior of libsasl and the plug-ins can be modified on the server side by using options that can be set in the /etc/sasl/app.conf file. The variable app is the server-defined name for the application. The documentation for the server app should specify the application name.

The following options are supported in the Solaris 10 release:

auto_transition

Automatically transitions the user to other mechanisms when the user does a successful plain text authentication.

auxprop_login

Lists the name of auxiliary property plug-ins to use.

canon_user_plugin

Selects the canon_user plug-in to use.

mech_list

Lists the mechanisms that are allowed to be used by the server application.

pwcheck_method

Lists the mechanisms used to verify passwords. Currently, auxprop is the only allowed value.

reauth_timeout

Sets the length of time, in minutes, that authentication information is cached for a fast reauthentication. This option is used by the DIGEST-MD5 plug-in. Setting this option to 0 disables reauthentication.

The following options are not supported in the Solaris 10 release:

plugin_list

Lists available mechanisms. Not used because the option changes the behavior of the dynamic loading of plugins.

saslauthd_path

Defines the location of the saslauthd door, which is used for communicating with the saslauthd daemon. The saslauthd daemon is not included in the Solaris 10 release. So, this option is also not included.

keytab

Defines the location of the keytab file used by the GSSAPI plug-in. Use the KRB5_KTNAME environment variable instead to set the default keytab location.

The following options are options not found in Cyrus SASL. However, they have been added for the Solaris 10 release:

use_authid

Acquire the client credentials rather than use the default credentials when creating the GSS client security context. By default, the default client Kerberos identity is used.

log_level

Sets the desired level of logging for a server.