Go to main content

Managing Kerberos and Other Authentication Services in Oracle® Solaris 11.3

Exit Print View

Updated: May 2019

SASL Reference

The following section provides information about the implementation of SASL.

SASL Plugins

SASL plugins provide support for security mechanisms, user-canonicalization, and auxiliary property retrieval. By default, the dynamically loaded 32-bit plugins are installed in /usr/lib/sasl, and the 64-bit plugins are installed in /usr/lib/sasl/$ISA. The following security mechanism plugins are provided:


CRAM-MD5, which supports authentication only, no authorization


DIGEST-MD5, which supports authentication, integrity, and privacy, as well as authorization


GSSAPI, which supports authentication, integrity, and privacy, as well as authorization. The GSSAPI security mechanism requires a functioning Kerberos infrastructure.


PLAIN, which supports authentication and authorization.

In addition, the EXTERNAL security mechanism plugin and the INTERNAL user canonicalization plugins are built into libsasl.so.1. The EXTERNAL mechanism supports authentication and authorization. The mechanism supports integrity and privacy if the external security source provides it. The INTERNAL plugin adds the realm name if necessary to the username.

The Oracle Solaris release is not supplying any auxprop plugins at this time. For the CRAM-MD5 and DIGEST-MD5 mechanism plugins to be fully operational on the server side, the user must provide an auxprop plugin to retrieve clear text passwords. The PLAIN plugin requires additional support to verify the password. The support for password verification can be one of the following: a callback to the server application, an auxprop plugin, saslauthd, or pwcheck. The saslauthd and pwcheck daemons are not provided in the Oracle Solaris releases. For better interoperability, restrict server applications to those mechanisms that are fully operational by using the –mech_list SASL option.

SASL Environment Variable

By default, the client authentication name is set to getenv("LOGNAME"). This variable can be reset by the client or by the plugin.

SASL Options

The behavior of libsasl and the plugins can be modified on the server side by using options that can be set in the /etc/sasl/app.conf file. The variable app is the server-defined name for the application. The documentation for the server app should specify the application name.

The following options are supported:


Automatically transitions the user to other mechanisms when the user does a successful plain text authentication.


Lists the name of auxiliary property plugins to use.


Selects the canon_user plugin to use.


Lists the mechanisms that are allowed to be used by the server application.


Lists the mechanisms used to verify passwords. Currently, auxprop is the only allowed value.


Sets the length of time, in minutes, that authentication information is cached for a fast reauthentication. This option is used by the DIGEST-MD5 plugin. Setting this option to 0 disables reauthentication.

The following options are not supported:


Lists available mechanisms. Not used because the option changes the behavior of the dynamic loading of plugins.


Defines the location of the saslauthd door, which is used for communicating with the saslauthd daemon. The saslauthd daemon is not included in the Oracle Solaris release. So, this option is also not included.


Defines the location of the keytab file used by the GSSAPI plugin. Use the KRB5_KTNAME environment variable instead to set the default keytab location.

The following options are options not found in Cyrus SASL. However, they have been added for the Oracle Solaris release:


Acquires the client credentials rather than use the default credentials when creating the GSS client security context. By default, the default client Kerberos identity is used.


Sets the desired level of logging for a server.