cyrus-sasl - Cyrus SASL (Simple Authentication Security Layer) ChangeLog


# Cyrus SASL 2.1.28
# =================
# Slackware 14.0, 14.1: cyrus-sasl 2.1.23
# Slackware 14.2: cyrus-sasl 2.1.26
# Slackware 15.0: cyrus-sasl 2.1.27

# FYI, there is also a GNU SASL

# If you want to uninstall Cyrus SASL or just clean up files from an old
# version before installing this one, skip down to the bottom for
# instructions

# Prerequisites:
# Berkeley DB (bdb) (optional; bdb, gdbm or ndbm is required for SASLDB)
# GDBM (optional)
# PAM (optional)
# OpenSSL (optional)
# OpenLDAP >= 2.1.27 or >= 2.2.6 (optional)
# Kerberos (optional)
# OPIE (optional)
# MySQL (--enable-sql requires libmysqlclient; optional)
# PostgreSQL (optional)
# SQLite (optional)

# Cyrus SASL 2.1.28 announcement
# Cyrus SASL 2.1.28 release notes
# GitHub Cyrus SASL 2.1.28 release

# If you do build it to only use PLAIN and LOGIN, make sure you use TLS/SSL
# with your apps that use SASL.

# If you have trouble with the download URL below, look through the releases
# on GitHub for the latest 2.1.x:

# OpenSSL >= 1.1.0 is supported as of Cyrus SASL 2.1.27

# For documentation (re-)generation, become root and install Python Sphinx
# and Perl Pod::POM::View::Restructured
pip install -U Sphinx
perl -MCPAN -e shell
install Bundle::CPAN
install Pod::POM::View::Restructured

# Get it
test -f installed/cyrus-sasl-2.1.28.tar.gz &&
mv installed/cyrus-sasl-2.1.28.tar.gz .
test ! -f cyrus-sasl-2.1.28.tar.gz &&

# Verify the tarball w/ sha256sum:
# (this came from my gpg-verified tarball)
echo "7ccfc6abd01ed67c1a0924b353e526f1b766b21f42d4562ee635a8ebfc5bb3\
8c  cyrus-sasl-2.1.28.tar.gz" | sha256sum -c

# Verify tarball w/ gpg:
( gpg --list-keys D2F06546 > /dev/null 2>&1 ||
  gpg --keyserver --recv-keys D2F06546 ) &&
wget -nc\
cyrus-sasl-2.1.28/cyrus-sasl-2.1.28.tar.gz.sig &&
  gpg --verify cyrus-sasl-2.1.28.tar.gz.sig &&
   rm cyrus-sasl-2.1.28.tar.gz.sig

# Extract the source
mkdir -p -m 0700 ~/src
cd ~/src
find -maxdepth 1 -type d -name "cyrus-sasl-*" -exec rm -r {} \;
tar xzvf ~/cyrus-sasl-2.1.28.tar.gz
cd cyrus-sasl-2.1.28
test $UID = 0 && chown -R root:root .

# Read through docs locally
# 'lynx doc/legacy/index.html'
# or
# Cyrus SASL 2.1.28

# See the output of './configure --help' for the many options

# If you want to let it figure out what you have installed and use the
# defaults for everything, just run ./configure

# There is an auxprop plugin for LDAP at that should give
# you CRAM-MD5, DIGEST-MD5, etc. but I have not used it in years.
# There is now also a LDAPDB auxprop plugin, see below.  You can use it
# for apps to use SASL, and SASL to use LDAP (instead of PAM, shadow,
# SASLDB, etc.).  You would do this via 'saslauthd -a ldap'.  It requires
# OpenLDAP with SASL support, so you'll probably want to build SASL first
# without LDAP, then OpenLDAP with SASL, then SASL again with LDAPDB.

# If you want to enable SQL support, pass --enable-sql to configure
# You probably don't want to enable it if you will not actually be using
# it, because you will get loads of log entries like this:
#   sql_select option missing
#   auxpropfunc error no mechanism available
#   _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql
# After installation, to quiet those (and remove SQL support), remove
# the libsql.* files in your plugin directory (i.e.
# /usr/lib*/sasl2/libsql.*).
# If you want to enable MySQL support specifically, that is the default,
# that will be used as long as libmysqlclient is installed and available.
# If you want to enable SQLite support, add --with-sqlite3=path (or
# --with-sqlite if not 3.x) in addition to --enable-sql

# If you have OpenLDAP installed, but you don't want to build saslauthd with
# direct LDAP support, use --without-ldap
# If you want to use the LDAPDB auxprop plugin, in addition to --with-ldap,
# also pass --enable-ldapdb

# If you use PAM for system tools but do not want to use it for SASL
# authentication, use --without-pam

# If you want to build SASL with support for mechs like SCRAM, OTP, SRP,
# NTLM, and PASSDSS, build it with OpenSSL support.  If yours is installed
# from source under the < 1.1.0 /usr/local/ssl prefix, pass
# --with-openssl=/usr/local/ssl to configure and you may also need this
# before configure:
# CPPFLAGS=-I/usr/local/ssl/include LDFLAGS=-L/usr/local/ssl/lib \
# If you are running 64-bit ('uname -m' = x86_64), make sure you use
# /usr/lib64 or /usr/local/lib64 for --libdir and --with-plugindir
# (and LDFLAGS if needed)

## Match Slackware's paths:
## ** and don't forget to use /usr/lib64 if 64-bit **
# ./configure --prefix=/usr --sysconfdir=/etc --with-configdir=/etc/sasl2 \
#  --docdir=/usr/doc/cyrus-sasl --libdir=/usr/lib --mandir=/usr/man \
#  --localstatedir=/var --with-plugindir=/usr/lib/sasl2

## If you use --without-openssl, also pass --without-des or you may get
## something like this when compiling:
# auth_getpwent.c:57:20: fatal error: des.h: No such file or directory

## If no matter what is installed, you want just LOGIN and PLAIN for use
## with 'saslauthd -a shadow', no SASLDB, no other mechs, no PAM, no LDAP,
## no OpenSSL, use the Slackware paths one above as a base, and add these:
# --without-openssl --without-des --with-dblib=none --without-pam \
# --without-ldap --disable-checkapop --disable-cram --disable-digest \
# --disable-scram --disable-otp --disable-krb4 --disable-gssapi \
# --disable-anon --enable-login

# If you are 64-bit, want MySQL/MariaDB and not PostgreSQL, and it is
# installed under /usr/local/mysql, you probably need
# LDFLAGS=-L/usr/local/mysql/lib64 before configure, and --enable-sql
# --with-mysql=/usr/local/mysql

# Configure the build, 64-bit, LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5, LDAP
test $(uname -m) = 'x86_64' &&
./configure --prefix=/usr --sysconfdir=/etc --with-configdir=/etc/sasl2 \
--docdir=/usr/doc/cyrus-sasl --libdir=/usr/lib64 --mandir=/usr/man \
--localstatedir=/var --with-plugindir=/usr/lib64/sasl2 \
--disable-checkapop --disable-scram --disable-otp --disable-krb4 \
--disable-gssapi --disable-anon --enable-login \
--with-sqlite3=/usr --with-ldap --enable-ldapdb

# Build it

# Become root to back up files, clean up files, and to install it

# Back up your sendmail SASL configuration, if you have one
# If you have more than one, it will only back up the first
test ! -d /root/backup/sendmail && mkdir -p -m 0700 /root/backup/sendmail
BACKUPFILE=/root/backup/sendmail/Sendmail.conf-$(date +%Y%m%d)
for confdir in /etc/sasl2 /usr/local/etc;
  test -f ${confdir}/Sendmail.conf &&
   test ! -f $BACKUPFILE &&
    cp -a ${confdir}/Sendmail.conf $BACKUPFILE

# From this point on, really keep in mind what you've got running.  If you
# have 10,000 users that are authenticating via SASL, you probably don't
# want to just stop saslauthd and blow away old files as done below :-)
# If linked with shared libraries, you will need to restart anything you've
# got running that uses SASL: sendmail, Cyrus IMAP, Apache, Samba, etc.  Any
# daemon running that is linked with may go crazy before you
# restart that.  Check 'lsof /usr/lib*/libsasl2.*' for an idea.  If you can,
# shut down everything using SASL, then re-start them after 'make install'
# below.

# If saslauthd is running, stop it
test -x /etc/rc.d/rc.saslauthd && /etc/rc.d/rc.saslauthd stop
sleep 2
killall saslauthd
sleep 2
killall -9 saslauthd

# Remove the Slackware package
test -x /sbin/removepkg && /sbin/removepkg cyrus-sasl

# Remove old files to ensure no conflicts between multiple installed
# versions.  This will zap anything like sendmail's SASL configuration
# file: Sendmail.conf
rm -f /etc/rc.d/rc.saslauthd
test -d /etc/sasl2 && rm -r /etc/sasl2
for pfx in /usr /usr/local;
  test -d ${pfx}/include/sasl && rm -r ${pfx}/include/sasl
  test -L ${pfx}/lib/sasl2 && rm -f ${pfx}/lib/sasl2
  test -L ${pfx}/lib64/sasl2 && rm -f ${pfx}/lib64/sasl2
  test -d ${pfx}/lib/sasl2 && rm -r ${pfx}/lib/sasl2
  test -d ${pfx}/lib64/sasl2 &&
   ( rm -r ${pfx}/lib64/sasl2
     rm ${pfx}/lib/pkgconfig/libsasl2.pc )
  test -d ${pfx}/man/man8 &&
   ( cd ${pfx}/man/man8
     rm -f pluginviewer.8 sasldblistusers2.8 saslpasswd2.8 )
  ( cd ${pfx}/sbin
    rm -f pluginviewer saslauthd sasldblistusers2 saslpasswd2 testsaslauthd )
  test -d ${pfx}/lib64 && rm -f ${pfx}/lib64/libsasl2.*
  rm -f ${pfx}/lib/libsasl2.* /usr/man/man3/sasl_*.3
test -d /var/state/saslauthd && rm -r /var/state/saslauthd
rm -f /var/man/cat8/saslauthd.8.xz

# Install the newly built Cyrus SASL
make install

# The shared library is  If you have anything linked
# with, this Band-aid may or may not work until you
# recompile it:
for libdir in /usr/lib64 /usr/lib /usr/local/lib64 /usr/local/lib;
  test -f ${libdir}/ &&
   test ! -L ${libdir}/ &&
    ln -s ${libdir}/ ${libdir}/ &&

# If you use saslauthd, create these directories:
test ! -d /etc/sasl2 && mkdir -p /etc/sasl2
test ! -d /var/state/saslauthd && mkdir -p /var/state/saslauthd

# Put your sendmail sasl config file back, if you have one
for sasldir in /etc/sasl2 /usr/local/etc;
  test -d $sasldir &&
   test ! -f ${sasldir}/Sendmail.conf &&
    test -f /root/backup/sendmail/Sendmail.conf-$(date +%Y%m%d) &&
     cp -a /root/backup/sendmail/Sendmail.conf-$(date +%Y%m%d) \

# To start saslauthd on boot-up, Slackware will run /etc/rc.d/rc.saslauthd
# (from rc.M) if it exists and is executable.  Open it up and set it to use
# '-a shadow', '-a pam', '-a ldap' or whatever you'll be using.  See
# 'man saslauthd' for other options.  If you do let saslauthd get started
# out of rc.saslauthd via rc.M, make sure your SASL-using apps like sendmail
# and Cyrus IMAP get started after saslauthd does.  Run this blurb to get a
# sample rc.saslauthd from me, or find one on in
# /pub/slackware/slackware-current/source/n/cyrus-sasl/
cd /etc/rc.d
test -f rc.saslauthd &&
( mv -f rc.saslauthd rc.saslauthd.old ; chmod 600 rc.saslauthd.old )
wget -nc
chmod 700 rc.saslauthd

## If your system doesn't run rc.saslauthd out of rc.M, add something like
## this to /etc/rc.d/rc.local (before SASL-using apps start):
# if [ -x /etc/rc.d/rc.saslauthd ]; then
#   /etc/rc.d/rc.saslauthd start
# fi

# As of SASL 2.1.13, there's a -c option for caching authentication
# credentials.  If you run a busy system, you'll probably want to use this.

## If you built it with PAM...
## Put something like this in /etc/pam.d/smtp for sendmail.  Create a
## /etc/pam.d/imap, /etc/pam.d/pop, and a /etc/pam.d/sieve for Cyrus IMAP.
# #%PAM-1.0
# auth       sufficient   /lib/security/
# auth       required     /lib/security/ try_first_pass
# account    sufficient   /lib/security/
# account    required     /lib/security/

## If you built it with LDAP support...
## If you want to use a different /etc/ldap.conf (nss/pam_ldap config)
## for SMTP auth (and/or Cyrus logins), you can replace the first line above
## with something like this (and cp /etc/ldap.conf to /etc/ldap.conf.smtp)
# auth       sufficient   /lib/security/ config=/etc/ldap.conf.smtp

# If you're going to use saslauthd with sendmail...
# Create a /usr/lib*/sasl2/Sendmail.conf, if you don't already have one:
test -d /etc/sasl2 &&
( test ! -f /etc/sasl2/Sendmail.conf &&
    echo "pwcheck_method: saslauthd" > /etc/sasl2/Sendmail.conf )
test ! -d /etc/sasl2 &&
( test ! -f /usr/local/etc/Sendmail.conf &&
   echo "pwcheck_method: saslauthd" > /usr/local/etc/Sendmail.conf )

## If you're going to use saslauthd with Cyrus IMAP...
## Put this in /etc/imapd.conf
# sasl_pwcheck_method: saslauthd

# If you use SASLDB and not saslauthd, use "pwcheck_method: auxprop" for
# /etc/sasl2/Sendmail.conf or /usr/local/etc/Sendmail.conf depending on
# your --sysconfdir and use "sasl_pwcheck_method: auxprop" in
# /etc/imapd.conf if you are using Cyrus IMAP with SASLDB.
# Also make sure that the other software can read the /etc/sasldb2 file
# If you want both Cyrus IMAP and sendmail to be able to access it, for
# example, you can create a group and add your cyrus and sendmail (daemon)
# users to it, then make the sasldb2 file group-owned by that group and
# change permissions to g+r
# See 'man saslpasswd2' for info about creating/updating users in
# /etc/sasldb2 and 'man sasldblistusers2' for info about listing them.

# If you run saslauthd with "-a ldap", create /etc/saslauthd.conf or
# /usr/local/etc/saslauthd.conf if you use the /usr/local prefix
test ! -f /etc/saslauthd.conf &&
cat << EOF > /etc/saslauthd.conf
ldap_servers: ldap:// ldap://
ldap_search_base: ou=people,dc=foo,dc=org

# (Re-)start saslauthd
test -x /etc/rc.d/rc.saslauthd && /etc/rc.d/rc.saslauthd restart

# Become yourself again

# Save tarball for later
mkdir -p -m 0700 installed
rm -f installed/cyrus-sasl-*.tar.*
mv cyrus-sasl-2.1.28.tar.gz installed/

# If you ever need to uninstall Cyrus SASL, after reconfiguring/rebuilding
# apps that use it to stop doing so, run this.  If you have the source (and
# configure has been run), the 'make uninstall' part should do it.  The rest
# is to make sure it's really all gone.
test -d src/cyrus-sasl-2.1.28 &&
( cd src/cyrus-sasl-2.1.28 ; make uninstall )
find src -maxdepth 1 -type d -name "cyrus-sasl-*" -exec rm -r {} \;
test -x /etc/rc.d/rc.saslauthd && /etc/rc.d/rc.saslauthd stop
sleep 2
killall saslauthd
sleep 2
killall -9 saslauthd > /dev/null 2>&1
test -L /usr/lib/sasl2 && rm /usr/lib/sasl2
for pfx in /usr /usr/local;
  find ${pfx}/doc -maxdepth 1 -type d -name "cyrus-sasl-*" -exec rm -r {} \;
  test -d ${pfx}/doc/cyrus-sasl && rm -r ${pfx}/doc/cyrus-sasl
  test -d ${pfx}/include/sasl && rm -r ${pfx}/include/sasl
  test -d ${pfx}/lib/pkgconfig && rm -f ${pfx}/lib/pkgconfig/libsasl2.pc
  test -d ${pfx}/lib/sasl2 && rm -r ${pfx}/lib/sasl2
  test -d ${pfx}/lib64 && rm -f ${pfx}/lib64/libsasl2.*
  test -d ${pfx}/lib64/pkgconfig && rm -f ${pfx}/lib64/pkgconfig/libsasl2.pc
  test -d ${pfx}/lib64/sasl2 && rm -r ${pfx}/lib64/sasl2
  ( cd ${pfx}/lib ; rm -f libsasl2.* )
  ( cd ${pfx}/man/cat3 ; rm -f sasl_*.3 sasl.3 )
  ( cd ${pfx}/man/cat8
    rm -f pluginviewer.8 saslauthd.8 sasldblistusers2.8 saslpasswd2.8 )
  ( cd ${pfx}/man/man3 ; rm -f sasl_*.3 sasl.3 )
  ( cd ${pfx}/man/man8
    rm -f pluginviewer.8 saslauthd.8 sasldblistusers2.8 saslpasswd2.8 )
  ( cd ${pfx}/sbin
    rm -f pluginviewer saslauthd sasldblistusers2 testsaslauthd )
test -d /etc/sasl2 && rm -r /etc/sasl2
test -d /var/state/saslauthd && rm -r /var/state/saslauthd
rm -f /etc/rc.d/rc.saslauthd
find ~/src -maxdepth 1 -type d -name "cyrus-sasl-*" -exec rm -r {} \;
rm -f ~/installed/cyrus-sasl-*.tar.*

List of HOWTOs

Web page itself last updated: 2023-12-20 8:06pm (EDT -0400)
HOWTO last updated: 2023-09-23 10:01pm
Copyright © 2001-2024 Jason Englander. All Rights reserved.