JIRA 3337

no more defaulting to guest/guest username/password
qpidd.sasldb is no longer created -- users who want usernames and passwords in there must create it. 
but a local qpidd.sasldb is (before this change) being created for 'make check' testing.
The etc/sasl2/qpidd.conf file now has an explicit mech list -- so we will no longer default to the system-list.



git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1143536 13f79535-47bb-0310-9956-ffa450edef68

3 files changed, 4 insertions, 26 deletions

diff --git a/qpid/cpp/etc/Makefile.am b/qpid/cpp/etc/Makefile.am
index c91dbcbbad..1e4db561a7 100644
--- a/qpid/cpp/etc/Makefile.am
+++ b/qpid/cpp/etc/Makefile.am
@@ -30,30 +30,7 @@ nobase_sysconf_DATA = \
 	qpidd.conf
 
 if HAVE_SASL
-SASL_DB = qpidd.sasldb
-
 nobase_sysconf_DATA += \
 	$(SASL_CONF)
 
-sasldbdir = $(localstatedir)/lib/qpidd
-sasldb_DATA = $(SASL_DB)
-
-# Setup the default sasldb file with a single user, guest, with an
-# obvious password. This user and password are the default for many
-# clients.
-#
-# The realm specified by -u is very important, and QPID is the default
-# for the broker so we use it here. The realm is important because it
-# defaults to the local hostname of the machine running the
-# broker. This may not seem to bad at first glance, but it means that
-# the sasldb has to be tailored to each machine that would be running
-# a broker, and if the machine ever changed its name the
-# authentication would stop working until the sasldb was updated. For
-# these reasons we always want the broker to specify a realm where its
-# users live, and we want the users to exist in that realm as well.
-$(SASL_DB):
-	echo guest | $(SASL_PASSWD) -c -p -f $(SASL_DB) -u QPID guest
-
-CLEANFILES=$(SASL_DB)
-
 endif
diff --git a/qpid/cpp/etc/qpidd.conf b/qpid/cpp/etc/qpidd.conf
index 8082660f6f..bfe4e38bbd 100644
--- a/qpid/cpp/etc/qpidd.conf
+++ b/qpid/cpp/etc/qpidd.conf
@@ -21,4 +21,4 @@
 #
 # (Note: no spaces on either side of '='). Using default settings:
 # "qpidd --help" or "man qpidd" for more details.
-cluster-mechanism=ANONYMOUS
+cluster-mechanism=DIGEST-MD5 ANONYMOUS
diff --git a/qpid/cpp/etc/sasl2/qpidd.conf b/qpid/cpp/etc/sasl2/qpidd.conf
index 3197d7792a..d766cb8ef8 100644
--- a/qpid/cpp/etc/sasl2/qpidd.conf
+++ b/qpid/cpp/etc/sasl2/qpidd.conf
@@ -17,8 +17,8 @@
 # under the License.
 #
 #
-# This configuation allows for either SASL PLAIN or ANONYMOUS
-# authentication. The PLAIN authentication is done on a
+# This configuation allows for either SASL ANONYMOUS or DIGEST-MD5
+# authentication. The DIGEST-MD5 authentication is done on a
 # username+password, which is stored in the sasldb_path
 # file. Usernames and passwords can be added to the file using the
 # command:
@@ -39,6 +39,7 @@
 pwcheck_method: auxprop
 auxprop_plugin: sasldb
 sasldb_path: /var/lib/qpidd/qpidd.sasldb
+mech_list: DIGEST-MD5 ANONYMOUS
 
 #following line stops spurious 'sql_select option missing' errors when
 #cyrus-sql-sasl plugin is installed