Section 3.73. <AuthBy SASLAUTHD>

3.73. <AuthBy SASLAUTHD>

This clause authenticates against a saslauthd server running on the same host as Radiator. Saslauthd is a Unix authentication server program, part of the Cyrus SASL suite. It can be configured to authenticate from a variety of sources, including PAM, Kerberos, DCE, shadow password files, IMAP, LDAP, SIA or a special SASL user password file. It is part of the Cyrus SASL suite.

AuthBy SASLAUTHD connects to the saslauthd server over a UNIX domain socket. It sends the username, plaintext password, realm and a service name to saslauthd. Saslauthd then authenticates the user using whatever method it has been configured to use and then sends the response back to AuthBy SASLAUTHD.

Requires that saslauthd be installed, configured and running on the Radiator host.

Tip

You can run saslauthd with the -d flag to get a fairly detailed log of what it is doing printed to stdout. This can be helpful determining why authentication is failing.

CAUTION

AuthBy SASLAUTHD is synchronous: it waits until saslauthd responds to an authentication request before sending a RADIUS response to the NAS. Some authentication methods implemented by saslauthd are slow. For example PAM will wait several seconds before responding if the password is incorrect (this part of the normal behaviour of PAM; it discourages brute force cracking of passwords).

3.73.1. SocketPath

This optional parameter specifies the name of the UNIX domain socket to use to connect to the saslauthd server. Defaults to /var/lib/sasl2/mux.

# Connect to a non-standard socket
SocketPath /var/state/saslauthd

3.73.2. Service

This optional parameter specifies the service name that will be passed to saslauthd in each authentication request. The service name is used by some types of saslauthd authentication methods, for example if saslauthd is using PAM, then this specifies the PAM service name to use. Defaults to login.

# Use the PAM system-auth method
Service system-auth