To create new wiki account, please join us on #znc at Libera.Chat and ask admins to create a wiki account for you. You can say thanks to spambots for this inconvenience.

Cyrusauth: Difference between revisions

From ZNC
Jump to navigation Jump to search
>Domin
Added info on how to enable this module during ./configure
>Markov
m SASL Setup Hint: changed another command to put a box around it
 
(5 intermediate revisions by 2 users not shown)
Line 3: Line 3:
This module is intended for admins who run a shell/web/email/etc server and want to provide ZNC access to their existing users. By using this module, when your users login to ZNC - either with their IRC client or via the [[webadmin]] module - their password will be checked against your [http://asg.web.cmu.edu/sasl/sasl-library.html Cyrus SASL library] against whatever password checking backend you configured for SASL instead of the ZNC config file.
This module is intended for admins who run a shell/web/email/etc server and want to provide ZNC access to their existing users. By using this module, when your users login to ZNC - either with their IRC client or via the [[webadmin]] module - their password will be checked against your [http://asg.web.cmu.edu/sasl/sasl-library.html Cyrus SASL library] against whatever password checking backend you configured for SASL instead of the ZNC config file.


'''This module needs to be enabled during compiling with the option --enable-cyrus on the ./configure line'''
== Compiling ==
First, you need to use ./configure with option --enable-cyrus to enable this module. In debian, the dev package required is libsasl2-dev.


== Usage ==
== Usage ==
Line 17: Line 18:


If no arguments are given the library default method will be used. At the time of writing (''cyrus-sasl-2.1.22'') default pwcheck_method is '''auxprop'''.
If no arguments are given the library default method will be used. At the time of writing (''cyrus-sasl-2.1.22'') default pwcheck_method is '''auxprop'''.
NOTE: By default, users must already exist in znc to allow authentication via sasl to be attempted. You may change this by selecting a cloneUser and changing createuser to yes using the commands below. (run as admin).
=== Commands ===
/znc *Cyrusauth CreateUser [yes|no]
/znc *Cyrusauth CloneUser [username]
/znc *Cyrusauth DisableCloneUser


== SASL Setup Hint ==
== SASL Setup Hint ==
For debian based systems, saslauthd is in the sasl2-bin package. (make sure to change start=no to start= yes in /etc/default/saslauthd). The default system to use is pam.
To be able to do authentication through libsasl2 the ZNC process must have adequate access permissions. Usually it is sufficient to add the user ZNC is running as to the unix group ''sasl'', YMMV. If you have problems authenticating your users through SASL you should check whether ZNC can access
To be able to do authentication through libsasl2 the ZNC process must have adequate access permissions. Usually it is sufficient to add the user ZNC is running as to the unix group ''sasl'', YMMV. If you have problems authenticating your users through SASL you should check whether ZNC can access
* for '''auxprop''': your sasldb2 password database file (e.g. in Debian at ''/etc/sasldb2'')
* for '''auxprop''': your sasldb2 password database file (e.g. in Debian at ''/etc/sasldb2'')
* for '''saslauthd''': the unix domain socket libsasl2 uses to speak to the daemon (e.g. in Debian at ''/var/run/saslauthd/mux'')
* for '''saslauthd''': the unix domain socket libsasl2 uses to speak to the daemon (e.g. in Debian at ''/var/run/saslauthd/mux'')
You may attempt to test saslauthd with the following command under the user znc runs under to check permissions with the following command
<code>/usr/sbin/testsaslauthd -u someuser -p mypassword</code>
If you get connect error, your permissions are not setup right. Authentication successful/failed indicates permissions are working.
For more information consult the documentation distributed with the [http://ftp.andrew.cmu.edu/pub/cyrus-mail/ Cyrus SASL library] or a copy of it via HTTP at [http://www.sendmail.org/~ca/email/cyrus2/ sendmail.org]. If you still have questions you might want to consult the [http://lists.andrew.cmu.edu/mailman/listinfo/cyrus-sasl Cyrus-sasl mailing list] archive or join the list yourself.
For more information consult the documentation distributed with the [http://ftp.andrew.cmu.edu/pub/cyrus-mail/ Cyrus SASL library] or a copy of it via HTTP at [http://www.sendmail.org/~ca/email/cyrus2/ sendmail.org]. If you still have questions you might want to consult the [http://lists.andrew.cmu.edu/mailman/listinfo/cyrus-sasl Cyrus-sasl mailing list] archive or join the list yourself.

Latest revision as of 23:52, 21 February 2013

This module is intended for admins who run a shell/web/email/etc server and want to provide ZNC access to their existing users. By using this module, when your users login to ZNC - either with their IRC client or via the webadmin module - their password will be checked against your Cyrus SASL library against whatever password checking backend you configured for SASL instead of the ZNC config file.

Compiling

First, you need to use ./configure with option --enable-cyrus to enable this module. In debian, the dev package required is libsasl2-dev.

Usage

Arguments

This global module takes up to two arguments.

Read loading modules to learn more about loading modules.

Valid argument values are:

  • auxprop - this method uses an libsasl2 "Auxiliary Property" plugin to fetch and check the client-provided password. Normally this results in passwords being checked against sasldb2. Consult the libsasl2 manuals for more information.
  • saslauthd - this method calls out to the saslauthd daemon, which also ships with the libsasl2 distribution. The saslauthd daemon has a number of modules of its own, which allow it to do verification of passwords in a variety of ways, including PAM, LDAP, against a Kerberos database, and so on. This is how you would want to, for example, use the data contained in /etc/shadow to authenticate users, since ZNC would then not need to run as uid root.

If no arguments are given the library default method will be used. At the time of writing (cyrus-sasl-2.1.22) default pwcheck_method is auxprop. NOTE: By default, users must already exist in znc to allow authentication via sasl to be attempted. You may change this by selecting a cloneUser and changing createuser to yes using the commands below. (run as admin).

Commands

/znc *Cyrusauth CreateUser [yes|no]
/znc *Cyrusauth CloneUser [username]
/znc *Cyrusauth DisableCloneUser

SASL Setup Hint

For debian based systems, saslauthd is in the sasl2-bin package. (make sure to change start=no to start= yes in /etc/default/saslauthd). The default system to use is pam. To be able to do authentication through libsasl2 the ZNC process must have adequate access permissions. Usually it is sufficient to add the user ZNC is running as to the unix group sasl, YMMV. If you have problems authenticating your users through SASL you should check whether ZNC can access

  • for auxprop: your sasldb2 password database file (e.g. in Debian at /etc/sasldb2)
  • for saslauthd: the unix domain socket libsasl2 uses to speak to the daemon (e.g. in Debian at /var/run/saslauthd/mux)

You may attempt to test saslauthd with the following command under the user znc runs under to check permissions with the following command

/usr/sbin/testsaslauthd -u someuser -p mypassword

If you get connect error, your permissions are not setup right. Authentication successful/failed indicates permissions are working.

For more information consult the documentation distributed with the Cyrus SASL library or a copy of it via HTTP at sendmail.org. If you still have questions you might want to consult the Cyrus-sasl mailing list archive or join the list yourself.