Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

auth_sasl_ex(3) [debian man page]

AUTH_SASL(3)						      Double Precision, Inc.						      AUTH_SASL(3)

NAME

       auth_sasl, auth_sasl_ex - SASL implementation

SYNOPSIS

	   #include <courierauthsasl.h>

       int rc=auth_sasl(const char *method, const char *initialresponse, char *(*conversation_func)(const char *, void *)), void *callback_arg,
			char **authtype_ret, char **authdata_ret);

       int rc=auth_sasl_ex(const char *method, const char *initialresponse, const char *externalauth,
			   char *(*conversation_func)(const char *, void *)), void *callback_arg, char **authtype_ret, char **authdata_ret);

DESCRIPTION

       auth_sasl is a generic SASL server implementation.  method is the requested SASL method. At this time auth_sasl knows how to handle the
       following SASL methods:

       o   LOGIN

       o   PLAIN

       o   CRAM-MD5

       o   CRAM-SHA1

       initialresponse is a base64-encoded initial response provided in the client's SASL request.  initialresponse must be NULL if an initial
       response was not included in the client's SASL request.

       conversation_func is the application-implemented SASL conversation callback function.  conversation_func receives a base64-encoded SASL
       prompt, and the callback_arg argument to auth_sasl.  conversation_func must return a buffer containing the base64-encoded reply from the
       client.	auth_sasl will free(3) this buffer when it's done.  conversation_func should return NULL to abort the SASL conversation.

       auth_sasl_ex is a version of auth_sasl that recognizes the EXTERNAL SASL method. It takes an extra parameter, externalauth. This parameter
       should be set to indicate an login that was authenticated via some other means, such as, perhaps, an SSL certificate, or NULL if no
       externally-authenticated identity was established.

       If method is not EXTERNAL, auth_sasl_ex is identical to auth_sasl, and externalauth is ignored. Otherwise, if method is EXTERNAL and
       externalauth is not NULL, auth_sasl_ex returns AUTHSASL_OK, and sets *authtype_ret and *authdata_ret accordingly, so that the subsequent
       invocation of auth_generic() returns authentication information for the login ID specified by externalauth.

RETURNS

       If the SASL conversation succesfully completes, auth_sasl or auth_sasl_ex initializes *authtype_ret and *authdata_ret. They will be set to
       a malloc(3)-ed buffers that can be directly passed as arguments to auth_generic(3)[1]. It is the application's responsibility to free(3)
       these buffers when it's done with them.

       auth_sasl or auth_sasl_ex returns AUTHSASL_OK when the SASL conversation succesfully completes, and *authtype_ret and *authdata_ret are
       succesfully assembled. Any other return indicates an error condition. Right now two error conditions are defined:

       AUTHSASL_ABORTED
	   The SASL conversation was aborted by the client.

       AUTHSASL_ERROR
	   General error (insufficient memory, or some other reason). Check errno for any clues.

SEE ALSO

       authlib(3)[2], auth_generic(3)[1].

NOTES

	1. auth_generic(3)
	   auth_generic.html

	2. authlib(3)
	   authlib.html

Double Precision, Inc.						    08/23/2008							      AUTH_SASL(3)

Check Out this Related Man Page

Authen::SASL::Perl(3)					User Contributed Perl Documentation				     Authen::SASL::Perl(3)

NAME

       Authen::SASL::Perl -- Perl implementation of the SASL Authentication framework

SYNOPSIS

	use Authen::SASL qw(Perl);

	$sasl = Authen::SASL->new(
	  mechanism => 'CRAM-MD5 PLAIN ANONYMOUS',
	  callback => {
	    user => $user,
	    pass => &fetch_password
	  }
	);

DESCRIPTION

       Authen::SASL::Perl is the pure Perl implementation of SASL mechanisms in the Authen::SASL framework.

       At the time of this writing it provides the client part implementation for the following SASL mechanisms:

       ANONYMOUS
	   The Anonymous SASL Mechanism as defined in RFC 2245 resp.  in IETF Draft draft-ietf-sasl-anon-03.txt from February 2004 provides a
	   method to anonymously access internet services.

	   Since it does no authentication it does not need to send any confidential information such as passwords in plain text over the network.

       CRAM-MD5
	   The CRAM-MD5 SASL Mechanism as defined in RFC2195 resp.  in IETF Draft draft-ietf-sasl-crammd5-XX.txt offers a simple challenge-
	   response authentication mechanism.

	   Since it is a challenge-response authentication mechanism no passwords are transferred in clear-text over the wire.

	   Due to the simplicity of the protocol CRAM-MD5 is susceptible to replay and dictionary attacks, so DIGEST-MD5 should be used in
	   preferrence.

       DIGEST-MD5
	   The DIGEST-MD5 SASL Mechanism as defined in RFC 2831 resp.  in IETF Draft draft-ietf-sasl-rfc2831bis-XX.txt offers the HTTP Digest
	   Access Authentication as SASL mechanism.

	   Like CRAM-MD5 it is a challenge-response authentication method that does not send plain text passwords over the network.

	   Compared to CRAM-MD5, DIGEST-MD5 prevents chosen plaintext attacks, and permits the use of third party authentication servers, so that
	   it is recommended to use DIGEST-MD5 instead of CRAM-MD5 when possible.

       EXTERNAL
	   The EXTERNAL SASL mechanism as defined in RFC 2222 allows the use of external authentication systems as SASL mechanisms.

       GSSAPI
	   The GSSAPI SASL mechanism as defined in RFC 2222 resp. IETF Draft draft-ietf-sasl-gssapi-XX.txt allows using the Generic Security
	   Service Application Program Interface [GSSAPI] KERBEROS V5 as as SASL mechanism.

	   Although GSSAPI is a general mechanism for authentication it is almost exlusively used for Kerberos 5.

       LOGIN
	   The LOGIN SASL Mechanism as defined in IETF Draft draft-murchison-sasl-login-XX.txt allows  the combination of username and clear-text
	   password to be used in a SASL mechanism.

	   It does does not provide a security layer and sends the credentials in clear over the wire.	Thus this mechanism should not be used
	   without adequate security protection.

       PLAIN
	   The Plain SASL Mechanism as defined in RFC 2595 resp. IETF Draft draft-ietf-sasl-plain-XX.txt is another SASL mechanism that allows
	   username and clear-text password combinations in SASL environments.

	   Like LOGIN it sends the credentials in clear over the network and should not be used without sufficient security protection.

       As for server support, only PLAIN, LOGIN and DIGEST-MD5 are supported at the time of this writing.

       "server_new" OPTIONS is a hashref that is only relevant for DIGEST-MD5 for now and it supports the following options:

       - no_integrity
       - no_confidentiality

       which configures how the security layers are negotiated with the client (or rather imposed to the client).

SEE ALSO

       Authen::SASL, Authen::SASL::Perl::ANONYMOUS, Authen::SASL::Perl::CRAM_MD5, Authen::SASL::Perl::DIGEST_MD5, Authen::SASL::Perl::EXTERNAL,
       Authen::SASL::Perl::GSSAPI, Authen::SASL::Perl::LOGIN, Authen::SASL::Perl::PLAIN

AUTHOR

       Peter Marschall <peter@adpm.de>

       Please report any bugs, or post any suggestions, to the perl-ldap mailing list <perl-ldap@perl.org>

COPYRIGHT

       Copyright (c) 2004-2006 Peter Marschall.  All rights reserved. This document is distributed, and may be redistributed, under the same terms
       as Perl itself.

perl v5.16.2							    2010-03-11						     Authen::SASL::Perl(3)
Man Page