Linux HOWTOs

About | Home | Search


HOWTO: cyrus-sasl
Description: Cyrus SASL (Simple Authentication Security Layer)
Click here for ChangeLog
NOTE: I use GNU tar >= 1.13.25 so it's -j for .tar.bz2 files,
it's safe to assume that make, gcc, binutils, fileutils/coreutils, gawk, sed, and grep are prerequisites for almost everything


# Cyrus SASL 2.1.27
# =================
# Slackware 13.0, 13.1, 13.37, 14.0, 14.1: cyrus-sasl 2.1.23
# Slackware 14.2: cyrus-sasl 2.1.26

# FYI, there is also a GNU SASL

# If you want to uninstall Cyrus SASL or just clean up files from an old
# version before installing this one, skip down to the bottom for
# instructions

# Prerequisites:
# Berkeley DB (bdb) (optional; bdb, gdbm or ndbm is required for SASLDB)
# GDBM (optional)
# PAM (optional)
# OpenSSL (optional)
# OpenLDAP >= 2.1.27 or >= 2.2.6 (optional)
# Kerberos (optional)
# OPIE (optional)
# MySQL (--enable-sql requires libmysqlclient; optional)
# PostgreSQL (optional)
# SQLite (optional)

# asg.andrew.cmu.edu: Cyrus SASL 2.1.27 release announcement
# lists.andrew.cmu.edu: Cyrus SASL 2.1.27 release announcement

# If you do build it to only use PLAIN and LOGIN, make sure you use TLS/SSL
# with your apps that use SASL.

# The old CMU SASL page is here:
# http://asg.web.cmu.edu/sasl/

# A previous pre-release was here, I include it in case others end up there
# as well:
# http://www.contrib.andrew.cmu.edu/~murch/

# If you have trouble with the download URL below, here are various places
# that you can get it:
# https://www.cyrusimap.org/releases/
# ftp://ftp.cyrusimap.org/cyrus-sasl/
# www.surf.org.uk that should give
# you CRAM-MD5, DIGEST-MD5, etc. but I have not used it in years.
#
# There is now also a LDAPDB auxprop plugin, read about it in
# doc/install.html and doc/options.html  You can use it for apps to use
# SASL, and SASL to use LDAP (instead of PAM, shadow, SASLDB, etc.).  You
# would do this via 'saslauthd -a ldap'.  It requires OpenLDAP with SASL
# support, so you'll probably want to build SASL first without LDAP, then
# OpenLDAP with SASL, then SASL again with LDAPDB.

# For documentation (re-)generation, become root and install Python Sphinx
# and Perl Pod::POM::View::Restructured
su
pip install -U Sphinx
perl -MCPAN -e shell
install Bundle::CPAN
install Pod::POM::View::Restructured
quit
exit

# Get it
cd
test -f installed/cyrus-sasl-2.1.27.tar.gz &&
 mv installed/cyrus-sasl-2.1.27.tar.gz .
test ! -f cyrus-sasl-2.1.27.tar.gz &&
 wget https://www.cyrusimap.org/releases/cyrus-sasl-2.1.27.tar.gz

# Verify the tarball w/ md5sum:
# (this is from the release announcement)
echo "a33820c66e0622222c5aefafa1581083  cyrus-sasl-2.1.27.tar.gz" | \
 md5sum -c

# Verify the tarball w/ sha256sum:e
# (this is from my gpg-verified tarball)
echo "26866b1549b00ffd020f188a43c258017fa1c382b3ddadd8201536f72efb05\
d5  cyrus-sasl-2.1.27.tar.gz" | sha256sum -c

# Verify tarball w/ gpg:
( gpg --list-keys C7B9F46A > /dev/null 2>&1 ||
  gpg --keyserver keys.gnupg.net --recv-keys C7B9F46A ) &&
 wget -nc https://www.cyrusimap.org/releases/cyrus-sasl-2.1.27.tar.gz.sig &&
  gpg --verify cyrus-sasl-2.1.27.tar.gz.sig &&
   rm cyrus-sasl-2.1.27.tar.gz.sig

# Extract the source
mkdir -p -m 0700 ~/src
cd ~/src
find -maxdepth 1 -type d -name "cyrus-sasl-*" -exec rm -r {} \;
tar xzvf ~/cyrus-sasl-2.1.27.tar.gz
cd cyrus-sasl-2.1.27
test $UID = 0 && chown -R root:root .

# Read through ./README, ./INSTALL, and 'lynx doc/install.html'

# See the output of './configure --help' for the many options

# If you want to let it figure out what you have installed and use the
# defaults for everything, just run ./configure

# If you want to enable SQL support, pass --enable-sql to configure
#
# You probably don't want to enable it if you will not actually be using
# it, because you will get loads of log entries like this:
#   sql_select option missing
#   auxpropfunc error no mechanism available
#   _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql
# After installation, to quiet those (and remove SQL support), remove
# the libsql.* files in your plugin directory (i.e.
# /usr/lib*/sasl2/libsql.*).
#
# If you want to enable MySQL support specifically, that is the default,
# that will be used as long as libmysqlclient is installed and available.
#
# If you want to enable SQLite support, add --with-sqlite3=path (or
# --with-sqlite if not 3.x) in addition to --enable-sql

# If you have OpenLDAP installed, but you don't want to build saslauthd with
# direct LDAP support, use --without-ldap
#
# If you want to use the LDAPDB auxprop plugin, in addition to --with-ldap,
# also pass --enable-ldapdb

# If you use PAM for system tools but do not want to use it for SASL
# authentication, use --without-pam

# If you want to build SASL with support for mechs like SCRAM, OTP, SRP,
# NTLM, and PASSDSS, build it with OpenSSL support.  If yours is installed
# from source under the < 1.1.0 /usr/local/ssl prefix, pass
# --with-openssl=/usr/local/ssl to configure and you may also need this
# before configure:
# CPPFLAGS=-I/usr/local/ssl/include LDFLAGS=-L/usr/local/ssl/lib \
#
# If you are running 64-bit ('uname -m' = x86_64), make sure you use
# /usr/lib64 or /usr/local/lib64 for --libdir and --with-plugindir
# (and LDFLAGS if needed)

## Match Slackware's paths:
## ** and don't forget to use /usr/lib64 if 64-bit **
# ./configure --prefix=/usr --sysconfdir=/etc --with-configdir=/etc/sasl2 \
#  --docdir=/usr/doc/cyrus-sasl --libdir=/usr/lib --mandir=/usr/man \
#  --localstatedir=/var --with-plugindir=/usr/lib/sasl2

## If you use --without-openssl, also pass --without-des or you may get
## something like this when compiling:
# auth_getpwent.c:57:20: fatal error: des.h: No such file or directory

## If no matter what is installed, you want just LOGIN and PLAIN for use
## with 'saslauthd -a shadow', no SASLDB, no other mechs, no PAM, no LDAP,
## no OpenSSL, use the Slackware paths one above as a base, and add these:
# --without-openssl --without-des --with-dblib=none --without-pam \
# --without-ldap --disable-checkapop --disable-cram --disable-digest \
# --disable-scram --disable-otp --disable-krb4 --disable-gssapi \
# --disable-anon --enable-login

# If you are 64-bit, want MySQL/MariaDB and not PostgreSQL, and it is
# installed under /usr/local/mysql, you probably need
# LDFLAGS=-L/usr/local/mysql/lib64 before configure, and --enable-sql
# --with-mysql=/usr/local/mysql

# Configure the build, 64-bit, LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5, LDAP
test $(uname -m) = 'x86_64' &&
./configure --prefix=/usr --sysconfdir=/etc --with-configdir=/etc/sasl2 \
--docdir=/usr/doc/cyrus-sasl --libdir=/usr/lib64 --mandir=/usr/man \
--localstatedir=/var --with-plugindir=/usr/lib64/sasl2 \
--disable-checkapop --disable-scram --disable-otp --disable-krb4 \
--disable-gssapi --disable-anon --enable-login \
--with-sqlite3=/usr --with-ldap --enable-ldapdb

# Build it
make

# Become root to back up files, clean up files, and to install it
su

# Back up your sendmail SASL configuration, if you have one
# If you have more than one, it will only back up the first
test ! -d /root/backup/sendmail && mkdir -p -m 0700 /root/backup/sendmail
BACKUPFILE=/root/backup/sendmail/Sendmail.conf-$(date +%Y%m%d)
for confdir in /etc/sasl2 /usr/local/etc;
do
  test -f ${confdir}/Sendmail.conf &&
   test ! -f $BACKUPFILE &&
    cp -a ${confdir}/Sendmail.conf $BACKUPFILE
done
unset BACKUPFILE

# From this point on, really keep in mind what you've got running.  If you
# have 10,000 users that are authenticating via SASL, you probably don't
# want to just stop saslauthd and blow away old files as done below :-)
# If linked with shared libraries, you will need to restart anything you've
# got running that uses SASL: sendmail, Cyrus IMAP, Apache, Samba, etc.  Any
# daemon running that is linked with libsasl2.so may go crazy before you
# restart that.  Check 'lsof /usr/lib*/libsasl2.*' for an idea.  If you can,
# shut down everything using SASL, then re-start them after 'make install'
# below.

# If saslauthd is running, stop it
test -x /etc/rc.d/rc.saslauthd && /etc/rc.d/rc.saslauthd stop
sleep 2
killall saslauthd
sleep 2
killall -9 saslauthd

# Remove the Slackware package
test -x /sbin/removepkg && /sbin/removepkg cyrus-sasl

# Remove old files to ensure no conflicts between multiple installed
# versions.  This will zap anything like sendmail's SASL configuration
# file: Sendmail.conf
rm -f /etc/rc.d/rc.saslauthd
test -d /etc/sasl2 && rm -r /etc/sasl2
for pfx in /usr /usr/local;
do
  test -d ${pfx}/include/sasl && rm -r ${pfx}/include/sasl
  test -L ${pfx}/lib/sasl2 && rm -f ${pfx}/lib/sasl2
  test -L ${pfx}/lib64/sasl2 && rm -f ${pfx}/lib64/sasl2
  test -d ${pfx}/lib/sasl2 && rm -r ${pfx}/lib/sasl2
  test -d ${pfx}/lib64/sasl2 &&
   ( rm -r ${pfx}/lib64/sasl2
     rm ${pfx}/lib/pkgconfig/libsasl2.pc )
  test -d ${pfx}/man/man8 &&
   ( cd ${pfx}/man/man8
     rm -f pluginviewer.8 sasldblistusers2.8 saslpasswd2.8 )
  ( cd ${pfx}/sbin
    rm -f pluginviewer saslauthd sasldblistusers2 saslpasswd2 testsaslauthd )
  test -d ${pfx}/lib64 && rm -f ${pfx}/lib64/libsasl2.*
  rm -f ${pfx}/lib/libsasl2.* /usr/man/man3/sasl_*.3
done
test -d /var/state/saslauthd && rm -r /var/state/saslauthd
rm -f /var/man/cat8/saslauthd.8.xz

# Install the newly built Cyrus SASL
make install
ldconfig

# The shared library is libsasl2.so.3.0.0  If you have anything linked
# with libsasl2.so.2, this Band-aid may or may not work until you
# recompile it:
for libdir in /usr/lib64 /usr/lib /usr/local/lib64 /usr/local/lib;
do
  test -f ${libdir}/libsasl2.so &&
   test ! -L ${libdir}/libsasl2.so.2 &&
    ln -s ${libdir}/libsasl2.so ${libdir}/libsasl2.so.2 &&
     ldconfig
done

# If you use saslauthd, create these directories:
test ! -d /etc/sasl2 && mkdir -p /etc/sasl2
test ! -d /var/state/saslauthd && mkdir -p /var/state/saslauthd

# Put your sendmail sasl config file back, if you have one
for sasldir in /etc/sasl2 /usr/local/etc;
do
  test -d $sasldir &&
   test ! -f ${sasldir}/Sendmail.conf &&
    test -f /root/backup/sendmail/Sendmail.conf-$(date +%Y%m%d) &&
     cp -a /root/backup/sendmail/Sendmail.conf-$(date +%Y%m%d) \
${sasldir}/Sendmail.conf
done

# To start saslauthd on boot-up, Slackware will run /etc/rc.d/rc.saslauthd
# (from rc.M) if it exists and is executable.  Open it up and set it to use
# '-a shadow', '-a pam', '-a ldap' or whatever you'll be using.  See
# 'man saslauthd' for other options.  If you do let saslauthd get started
# out of rc.saslauthd via rc.M, make sure your SASL-using apps like sendmail
# and Cyrus IMAP get started after saslauthd does.  Run this blurb to get a
# sample rc.saslauthd from me, or find one on ftp.slackware.com in
# /pub/slackware/slackware-current/source/n/cyrus-sasl/
cd /etc/rc.d
test -f rc.saslauthd &&
 ( mv -f rc.saslauthd rc.saslauthd.old ; chmod 600 rc.saslauthd.old )
wget -nc http://englanders.us/pub/linux/misc/rc.saslauthd
chmod 700 rc.saslauthd

## If your system doesn't run rc.saslauthd out of rc.M, add something like
## this to /etc/rc.d/rc.local (before SASL-using apps start):
# if [ -x /etc/rc.d/rc.saslauthd ]; then
#   /etc/rc.d/rc.saslauthd start
# fi

# As of SASL 2.1.13, there's a -c option for caching authentication
# credentials.  If you run a busy system, you'll probably want to use this.

## If you built it with PAM...
## Put something like this in /etc/pam.d/smtp for sendmail.  Create a
## /etc/pam.d/imap, /etc/pam.d/pop, and a /etc/pam.d/sieve for Cyrus IMAP.
# #%PAM-1.0
# auth       sufficient   /lib/security/pam_ldap.so
# auth       required     /lib/security/pam_unix_auth.so try_first_pass
# account    sufficient   /lib/security/pam_ldap.so
# account    required     /lib/security/pam_unix_acct.so

## If you built it with LDAP support...
## If you want to use a different /etc/ldap.conf (nss/pam_ldap config)
## for SMTP auth (and/or Cyrus logins), you can replace the first line above
## with something like this (and cp /etc/ldap.conf to /etc/ldap.conf.smtp)
# auth       sufficient   /lib/security/pam_ldap.so config=/etc/ldap.conf.smtp

# If you're going to use saslauthd with sendmail...
# Create a /usr/lib*/sasl2/Sendmail.conf, if you don't already have one:
test -d /etc/sasl2 &&
 ( test ! -f /etc/sasl2/Sendmail.conf &&
    echo "pwcheck_method: saslauthd" > /etc/sasl2/Sendmail.conf )
test ! -d /etc/sasl2 &&
 ( test ! -f /usr/local/etc/Sendmail.conf &&
   echo "pwcheck_method: saslauthd" > /usr/local/etc/Sendmail.conf )

## If you're going to use saslauthd with Cyrus IMAP...
## Put this in /etc/imapd.conf
# sasl_pwcheck_method: saslauthd

# If you use SASLDB and not saslauthd, use "pwcheck_method: auxprop" for
# /etc/sasl2/Sendmail.conf or /usr/local/etc/Sendmail.conf depending on
# your --sysconfdir and use "sasl_pwcheck_method: auxprop" in
# /etc/imapd.conf if you are using Cyrus IMAP with SASLDB.
#
# Also make sure that the other software can read the /etc/sasldb2 file
# If you want both Cyrus IMAP and sendmail to be able to access it, for
# example, you can create a group and add your cyrus and sendmail (daemon)
# users to it, then make the sasldb2 file group-owned by that group and
# change permissions to g+r
#
# See 'man saslpasswd2' for info about creating/updating users in
# /etc/sasldb2 and 'man sasldblistusers2' for info about listing them.

# If you run saslauthd with "-a ldap", create /etc/saslauthd.conf or
# /usr/local/etc/saslauthd.conf if you use the /usr/local prefix
test ! -f /etc/saslauthd.conf &&
 cat << EOF > /etc/saslauthd.conf
ldap_servers: ldap://127.0.0.1/ ldap://192.168.0.123/
ldap_search_base: ou=people,dc=foo,dc=org
ldap_default_domain: foo.org
EOF

# (Re-)start saslauthd
test -x /etc/rc.d/rc.saslauthd && /etc/rc.d/rc.saslauthd restart

# Become yourself again
exit

# Save tarball for later
cd
mkdir -p -m 0700 installed
rm -f installed/cyrus-sasl-*.tar.*
mv cyrus-sasl-2.1.27.tar.gz installed/


# If you ever need to uninstall Cyrus SASL, after reconfiguring/rebuilding
# apps that use it to stop doing so, run this.  If you have the source (and
# configure has been run), the 'make uninstall' part should do it.  The rest
# is to make sure it's really all gone.
cd
su
test -d src/cyrus-sasl-2.1.27 &&
 ( cd src/cyrus-sasl-2.1.27 ; make uninstall )
find src -maxdepth 1 -type d -name "cyrus-sasl-*" -exec rm -r {} \;
test -x /etc/rc.d/rc.saslauthd && /etc/rc.d/rc.saslauthd stop
sleep 2
killall saslauthd
sleep 2
killall -9 saslauthd > /dev/null 2>&1
test -L /usr/lib/sasl2 && rm /usr/lib/sasl2
for pfx in /usr /usr/local;
do
  find ${pfx}/doc -maxdepth 1 -type d -name "cyrus-sasl-*" -exec rm -r {} \;
  test -d ${pfx}/doc/cyrus-sasl && rm -r ${pfx}/doc/cyrus-sasl
  test -d ${pfx}/include/sasl && rm -r ${pfx}/include/sasl
  test -d ${pfx}/lib/pkgconfig && rm -f ${pfx}/lib/pkgconfig/libsasl2.pc
  test -d ${pfx}/lib/sasl2 && rm -r ${pfx}/lib/sasl2
  test -d ${pfx}/lib64 && rm -f ${pfx}/lib64/libsasl2.*
  test -d ${pfx}/lib64/pkgconfig && rm -f ${pfx}/lib64/pkgconfig/libsasl2.pc
  test -d ${pfx}/lib64/sasl2 && rm -r ${pfx}/lib64/sasl2
  ( cd ${pfx}/lib ; rm -f libsasl2.* )
  ( cd ${pfx}/man/cat3 ; rm -f sasl_*.3 sasl.3 )
  ( cd ${pfx}/man/cat8
    rm -f pluginviewer.8 saslauthd.8 sasldblistusers2.8 saslpasswd2.8 )
  ( cd ${pfx}/man/man3 ; rm -f sasl_*.3 sasl.3 )
  ( cd ${pfx}/man/man8
    rm -f pluginviewer.8 saslauthd.8 sasldblistusers2.8 saslpasswd2.8 )
  ( cd ${pfx}/sbin
    rm -f pluginviewer saslauthd sasldblistusers2 testsaslauthd )
done
test -d /etc/sasl2 && rm -r /etc/sasl2
test -d /var/state/saslauthd && rm -r /var/state/saslauthd
rm -f /etc/rc.d/rc.saslauthd
exit
find ~/src -maxdepth 1 -type d -name "cyrus-sasl-*" -exec rm -r {} \;
rm -f ~/installed/cyrus-sasl-*.tar.*

Back to the list


Last updated: Wed, 29 Apr 2020 22:04:50 -0400
Jason Englander <jason at englanders dot us>