Managing Kerberos and Other Authentication Services in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014

SASL Plugins

SASL plugins provide support for security mechanisms, user-canonicalization, and auxiliary property retrieval. By default, the dynamically loaded 32-bit plugins are installed in /usr/lib/sasl, and the 64-bit plugins are installed in /usr/lib/sasl/$ISA. The following security mechanism plugins are provided:

CRAM-MD5, which supports authentication only, no authorization

DIGEST-MD5, which supports authentication, integrity, and privacy, as well as authorization

GSSAPI, which supports authentication, integrity, and privacy, as well as authorization. The GSSAPI security mechanism requires a functioning Kerberos infrastructure.

PLAIN, which supports authentication and authorization.

In addition, the EXTERNAL security mechanism plugin and the INTERNAL user canonicalization plugins are built into The EXTERNAL mechanism supports authentication and authorization. The mechanism supports integrity and privacy if the external security source provides it. The INTERNAL plugin adds the realm name if necessary to the username.

The Oracle Solaris release is not supplying any auxprop plugins at this time. For the CRAM-MD5 and DIGEST-MD5 mechanism plugins to be fully operational on the server side, the user must provide an auxprop plugin to retrieve clear text passwords. The PLAIN plugin requires additional support to verify the password. The support for password verification can be one of the following: a callback to the server application, an auxprop plugin, saslauthd, or pwcheck. The salauthd and pwcheck daemons are not provided in the Oracle Solaris releases. For better interoperability, restrict server applications to those mechanisms that are fully operational by using the –mech_list SASL option.