
Pwcheck
*******


Auxprop
=======


Auxprop-hashed
==============


Saslauthd
=========

**What is saslauthd?** saslauthd is a daemon which validates

"ldap_servers" - "ldap://localhost"

   Specify a space separated list of LDAP server URIs of the form
   **ldap[si]://[name[:port]]**. See the "ldap.conf" *URI* option for
   formatting details.

"ldap_bind_dn" - none

   When simple authentication is desired, specify a distinguished name
   to use for a simple authenticated bind or a simple unauthenticated
   bind. Do not specify if an anonymous bind is desired. This option
   is ignored when the evaluated "ldap_auth_method" is "fastbind".

"ldap_bind_pw" - none

   "ldap_bind_pw" is an alias for "ldap_password".

"ldap_password" - none

   When simple authentication is desired, specify a password to
   perform an authenticated bind, or do not specify for an
   unauthenticated or anonymous bind. When SASL authentication is
   desired, specify a password to use where required by the underlying
   SASL mechanism. This option is ignored when the evaluated
   "ldap_auth_method" is "fastbind".

"ldap_version" - 3

   Defaults to version *3*. If "ldap_use_sasl" or "ldap_start_tls" are
   enabled, this option will be ignored, and will conform to the
   default value. Version *3* **is** compatible with anonymous binds,
   simple authenticated binds and simple unauthenticated binds.
   Version *2* should only be necessary where required by the server.

"ldap_search_base" - none

   When "ldap_auth_method" is evaluated as *bind*, "ldap_search_base"
   will be used to search for the user's distinguished name. When
   "ldap_auth_method" is *custom*, "ldap_search_base" will be used to
   find the user's "ldap_password_attr" attribute. When
   "ldap_auth_method" is evaluated as *fastbind*, "ldap_search_base"
   is ignored. If "ldap_search_base" contains substitution tokens,
   they will be replaced as specified in the "ldap_filter" token
   expansion rules.

"ldap_filter" - uid=%u

   When "ldap_auth_method" is evaluated as *bind*, "ldap_filter" will
   be used to search for the user's distinguished name. When
   "ldap_auth_method" is *custom*, "ldap_filter" will become, after
   token expansion, the user's distinguished name. When
   "ldap_auth_method" is evaluated as *fastbind*, "ldap_filter" is
   ignored.

   The following tokens, when contained within the "ldap_filter"
   option, will be substituted with the specified values:

   "%%"

      is replaced with a literal %.

   "%u"

      is replaced with the userid to be authenticated.

   "%U"

      is replaced by the portion of the userid before the first @
      character. If an @ character does not exist in the userid, then
      "%U" would function identically to "%u". For example, if the
      userid to be authenticated is *jsmith@example.org*, "%u" would
      be replaced by *jsmith@example.org* and "%U" would be replaced
      by *jsmith*.

   "%d"

      is replaced by the portion of the userid after the first @
      character. If an @ character does not exist in the userid, "%d"
      will be replaced by the "realm" value passed to "saslauthd". If
      no "realm" value was passed to saslauthd, "%d" will be replaced
      by the configured "ldap_default_realm", or by an empty string if
      "ldap_default_realm" is not configured.

   "%1-9"

      Within a userid which contains an @ character, followed by a
      domain name, "%1" will be replaced by the top level domain, "%2"
      will be replaced by the secondary domain, "%3" will be replaced
      by the tertiary domain, up to and including "%9" which would be
      replaced by the ninth level domain. If no @ character exists in
      the userid, or if there is no domain name after the @ character,
      or if the specified hierarchical domain level does not exist,
      the option is replaced by the "realm" value passed to
      "saslauthd". Should no "realm" value exist in those scenarios,
      the option is replaced by the configured "ldap_default_realm",
      or by an empty string if "ldap_default_realm" has not been
      configured.

      For example, if the userid to be authenticated is
      *jsmith@example.org*, "%1" would be replaced by *org* and "%2"
      would be replaced by *example*.

   "%s"

      is replaced by the "service" option passed to "saslauthd", or by
      an empty string if no "service" option was passed.

   "%r"

      is replaced by the "realm" option passed to "saslauthd". If no
      "realm" value was passed to saslauthd, "%r" will be replaced by
      the configured "ldap_default_realm", or by an empty string if
      "ldap_default_realm" is not configured.

"ldap_password_attr" - userPassword

   When "ldap_auth_method" is evaluated as *custom*,
   "ldap_password_attr" specifies an attribute that will be requested
   and retrived. If successfully retrived, the authentication request
   will succeed if the "ldap_password_attr" attribute contains a
   supported password hash, and if the user submitted password matches
   the hash. When "ldap_auth_method" is *bind* or *fastbind*,
   "ldap_password_attr" is ignored.

"ldap_group_dn" - none

   If "ldap_group_dn" is specified, group authorization must also
   succeed (in addition to the prior authentication step), for the
   user's authentication attempt to be successful. If "ldap_group_dn"
   contains substitution tokens, they will be replaced as specified in
   the "ldap_filter" token expansion rules. One additional token
   substitution is applicable to "ldap_group_dn":

   "%D"

      is replaced by the distinguished name that was specified, or
      evaluated, in the authentication step. If "ldap_use_sasl" is
      enabled, the distinguished name will be resolved by performing
      an ldapwhoami extended operation after a successful
      authentication. If "ldap_group_dn" is specified and
      "ldap_use_sasl" is enabled, but the ldap server does not support
      the ldapwhoami extended operation, or if the ldapwhoami extended
      operation fails, then the user's authentication attempt is
      unsuccessful.

"ldap_group_attr" - uniqueMember

   "ldap_group_attr" is ignored unless "ldap_group_dn" is also
   specified and "ldap_group_match_method" is *attr*.
   "ldap_group_attr" specifies an attribute which contains the
   authenticating identity's dinstinguished name. See the
   "ldap_group_match_method" entry for additional details.

"ldap_group_filter" - none

"ldap_group_search_base" - defaults to the evaluated
"ldap_search_base"

"ldap_group_scope" - *sub*

"ldap_group_match_method" - attr

"ldap_default_realm" - none

"ldap_default_domain" - none

   "ldap_default_domain" is an alias for "ldap_default_realm".

"ldap_auth_method" - bind

"ldap_timeout" - 5

"ldap_size_limit" - 1

"ldap_time_limit" - 5

"ldap_deref" - never

"ldap_referrals" - no

"ldap_restart" - yes

"ldap_scope" - sub

"ldap_use_sasl" - no

"ldap_id" - none

"ldap_sasl_authc_id" - none

"ldap_authz_id" - none

   Does not make any sense to supply an authz identity when performing
   sasl/fastbind.

"ldap_sasl_authz_id" - none

   "ldap_sasl_authz_id" is an alias for "ldap_authz_id".

"ldap_realm" - none

"ldap_sasl_realm" -

"ldap_mech" -

   It doesn't make any sense to use a mech that does not require an
   authname and password, when using fastbind.

"ldap_sasl_mech" -

"ldap_sasl_secprops" -

"ldap_start_tls" -

"ldap_tls_check_peer" -

"ldap_tls_cacert_file" -

"ldap_tls_cacert_dir" -

"ldap_tls_ciphers" -

"ldap_tls_cert" -

"ldap_tls_key" -

"ldap_debug" -


Authdaemon
==========


Alwaystrue
==========


Auto Transition
===============
