From 11fe8c6e9d5e06de5a573e34bfddb691354df1d8 Mon Sep 17 00:00:00 2001 From: Michael Goulish Date: Thu, 3 Nov 2011 15:15:45 +0000 Subject: I am removing DIGEST-MD5 from the mech list, because we cannot supply a username+passwd in the sasldb file without introducing a security hole to production systems. So now the only mech is ANONYMOUS -- and lots of changes to the comments to make it clear how to enable MD5 and how to add username+passwd for it. Also, one of the broker options that was mentioned in the old text was archaic -- updated that. git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@1197178 13f79535-47bb-0310-9956-ffa450edef68 --- cpp/etc/sasl2/qpidd.conf | 66 ++++++++++++++++++++++++++++++++++++------------ 1 file changed, 50 insertions(+), 16 deletions(-) (limited to 'cpp/etc') diff --git a/cpp/etc/sasl2/qpidd.conf b/cpp/etc/sasl2/qpidd.conf index d766cb8ef8..0872bc251b 100644 --- a/cpp/etc/sasl2/qpidd.conf +++ b/cpp/etc/sasl2/qpidd.conf @@ -17,30 +17,64 @@ # under the License. # # -# This configuation allows for either SASL ANONYMOUS or DIGEST-MD5 -# authentication. The DIGEST-MD5 authentication is done on a -# username+password, which is stored in the sasldb_path -# file. Usernames and passwords can be added to the file using the -# command: +#--------------------------------- +# Mechanisms and Users +#--------------------------------- # -# saslpasswd2 -f /var/lib/qpidd/qpidd.sasldb -u +# This default qpidd configuration allows for only SASL ANONYMOUS authentication. +# To additionally enable DIGEST-MD5 authentication: # -# The REALM is important and should be the same as the --auth-realm -# option to the broker. This lets the broker properly find the user in -# the sasldb file. +# 1. edit the mech_list below to read +# mech_list: DIGEST-MD5 ANONYMOUS # -# Existing user accounts may be listed with: +# 2. To add new a new user+password to the sasldb file: +# echo $PASSWD | saslpasswd2 -c -p -f $SASLTEST_DB -u QPID $USERNAME # -# sasldblistusers2 -f /var/lib/qpidd/qpidd.sasldb # -# NOTE: The sasldb file must be readable by the user running the qpidd -# daemon, and should be readable only by that user. +# PLEASE NOTE +# For production messaging systems, a high-security mechanism such as +# DIGEST-MD5 or PLAIN+SSL should be enabled. +# # pwcheck_method: auxprop auxprop_plugin: sasldb sasldb_path: /var/lib/qpidd/qpidd.sasldb -mech_list: DIGEST-MD5 ANONYMOUS +mech_list: ANONYMOUS + -#following line stops spurious 'sql_select option missing' errors when -#cyrus-sql-sasl plugin is installed + +#--------------------------------- +# Other Notes +#--------------------------------- +# +# 1. If you use a nonstandard location for your sasl_config directory, +# you can point qpidd to it by using the --sasl-config option. +# If your nonstandard sasl directory is $MY_SASL_DIR, put a copy +# of this file at $MY_SASL_DIR/qpidd.conf, alter the mech list as +# appropriate for your installation, and then use the saslpasswd2 +# command to add new user+passwd pairs: +# echo $PASSWD | saslpasswd2 -c -p -f $MY_SASL_DIR/qpidd.sasldb -u QPID $USERNAME +# +# +# 2. The standard location for the qpidd sasldb file is +# /var/lib/qpidd/qpidd.sasldb +# +# 3. You can see what usernames have been stored in the sasldb, with the +# sasldblistusers2 command. +# +# 4. The REALM is important and should be the same as the --realm +# option to the broker. This lets the broker properly find the user in +# the sasldb file. +# +# 5. The sasldb file must be readable by the user running the qpidd +# daemon, and should be readable only by that user. +# + + + +# The following line stops spurious 'sql_select option missing' errors when +# cyrus-sql-sasl plugin is installed sql_select: dummy select + + + -- cgit v1.2.1