Go to main content

Managing Authentication in Oracle® Solaris 11.4

Exit Print View

Updated: November 2020

SASL Reference

The HTML documentation from Cyrus SASL is delivered unchanged in the /usr/share/doc/libsasl2 directory. You can prevent this documentation from being installed by changing the value of the facet.doc.html system facet to false in the package manifest.

For a comprehensive SASL reference, see the Cyrus SASL web site (https://www.cyrusimap.org/sasl/). For descriptions of SASL options, see https://www.cyrusimap.org/sasl/sasl/options.html. For documentation specific to the Oracle Solaris implementation of Cyrus SASL, see Oracle Solaris SASL Documentation.

SASL Plugins

SASL plugins provide support for security mechanisms, user canonicalization, and auxiliary property retrieval. By default, the dynamically loaded 32-bit plugins are installed in /usr/lib/sasl2, and the 64-bit plugins are installed in /usr/lib/sasl2/$ISA.

With the exception of libsasldb, these plugins are API-compatible with the plugins in Oracle Solaris 11. For more information, see SASL Transition to Oracle Solaris 11.4 and the Cyrus SASL web site.

SASL Plugins in the libsasl2 Package

In this release, Oracle Solaris renames the SASL plugins that it supported in Oracle Solaris 11 and adds support for more SASL plugins.


Renamed from login.so.1. LOGIN supports legacy email.


Renamed from plain.so.1. PLAIN supports authentication and authorization.


libotp.so.3.0.0 provides one-time authentication and authorization. One-time password (OTP) is a good choice where the client is untrusted, such as a terminal in a public library, and where the server allows interactive logins.


libsasldb.so.3.0.0 is an authentication and authorization mechanism that can provide a data store for SCRAM.


libscram.so.3.0.0 implements the SHA-1 algorithm family to support authentication, authorization, and privacy.

SASL Plugins in Single Packages

The following plugins are not included in the libsasl2 package, but are available as separate packages. Install them only for interoperability with legacy systems. The authentication that these plugins provide is not considered secure.


libanonymous.so.3.0.0 supports authorization without authentication to a server that allows anonymous access, typically restricted.


Renamed from crammd5.so.1. CRAM-MD5 supports authentication only, no authorization.


Renamed from digestmd5.so.1. MD5-DIGEST supports authentication, integrity, and privacy, as well as authorization.

SASL Configuration

Configuration options for SASL applications are found either in an application's own standard configuration files or in /etc/sasl2/app.conf, where app is the application name as passed to libsasl2. For example, the openldap application uses the sasl- prefix to indicate its SASL options in its own /etc/openldap/slapd.conf configuration file. For an example of using the /etc/sasl2/ directory, see How to set configuration options in /usr/lib/doc/libsasl2/sysadmin.html.