Go to main content

Managing Authentication in Oracle® Solaris 11.4

Exit Print View

Updated: August 2019
 
 

SASL Transition to Oracle Solaris 11.4

    This version of Oracle Solaris supports most of the security mechanism plugins from Cyrus SASL, including auxprop plugins. For consumers of SASL that are configured for an earlier version of Oracle Solaris, the additional security mechanisms in Oracle Solaris 11.4 affect SASL authentication behavior.

  • If your SASL implementation is compiled with the saslplug.h header file from version 2.1.15, and if that software performs its own check for SASL_AUXPROP_PLUG_VERSION, you might need to recompile it with the Oracle Solaris saslplug.h file.

    The maximum value of SASL_AUXPROP_PLUG_VERSION in this release is 8.

  • If you provided an auxprop plugin to retrieve clear text passwords in earlier versions of Oracle Solaris for CRAM-MD5 or DIGEST-MD5 on the server side, you must recompile with the saslplug.h header file.


    Note -  CRAM-MD5 and DIGEST-MD5 are deprecated algorithms, as described in SASL Plugins in Single Packages. Recompile with an algorithm from the libsasl2 package.
  • If you provided an auxprop plugin to support password verification for the PLAIN plugin, you might also need to recompile.

  • Because Oracle Solaris supplies many more SASL plugins than were supplied in Oracle Solaris 11, consumers that are not narrowly configured can discover more runtime choices. Administrators must confirm that existing configurations exclude any plugins which site security policy excludes. For more information, see SASL Plugins.

Two formerly Oracle Solaris-only options have changed. The –log_level option is in Cyrus SASL and supported, but the –use_authid option is not supported. Also, the Cyrus SASL –keytab option is no longer supported. To set the default keytab location, use the KRB5_KTNAME environment variable.

The Cyrus SASL –saslauthd_path option is now supported.

Oracle Solaris SASL Documentation

For Oracle Solaris differences in SASL implementation, review this chapter, the man pages in section 3SASL, and the pluginviewer(8), saslauthd(8), sasldblistusers2(8). and saslpasswd2(8) man pages.

SASL Test Suite From Oracle Solaris

Oracle Solaris delivers some test programs that can be useful when testing SASL configurations. They are in the /usr/lib/sasl2/tests and /usr/lib/sasl2/tests/$MACH32 directories. In addition, if facet.optional.test is set to true, a small test program called testsuite and the TestSuite.conf file are delivered to those directories.