SASL authentication backend for Apache 2.2 in Debian
----------------------------------------------------

IMPORTANT!!!
============

SASL Authentication Daemon runs with root privileges, required by certain
authentication mechanisms. As a consequence, anyone that requires to talk
to SASL Authentication Daemon must be part of SASL user group (recommended)
or be run as root (highly discouraged)*.

Highly recommended doing:

root <at> acheron[~]# adduser www-data sasl
Adding user `www-data' to group `sasl' ...
Adding user www-data to group sasl
Done.

For more information related to this matter, please take a look into
SASL Authentication Daemon readme, on Debian systems you'll find at:
/usr/share/doc/sasl2-bin/README.Debian.gz.


-------------------------------------------------------------------------------
(*) Note that, except the case you have a very custom set up on your webserver,
changing Apache running user from 'www-data' (by default, or respective) to root
is a VERY BAD idea, as it may provoke a serious security risk for your system.
-------------------------------------------------------------------------------



CONFIGURING APACHE MODULE AND CONFIGURATION EXAMPLE
===================================================

As this software is carried to you as an Apache module, you have to add it into
 Apache modules list.
On Debian systems, this is easily done by a2enmod script:

root <at> acheron[~]# a2enmod authn_sasl 
Enabling module authn_sasl.
Run '/etc/init.d/apache2 restart' to activate new configuration!

root <at> acheron[~]# invoke-rc.d apache2 reload
Reloading web server config: apache2


Here is an example of an Apache AuthBasic restricted dir using SASL backend:

<Directory /var/www/adminpanel>
        Options FollowSymLinks
        AllowOverride None
        Order deny,allow
        Allow from localhost home.christy.net
        Deny from all

        AuthType Basic
        AuthName "Restricted to Staff users"
        AuthBasicProvider sasl
        AuthBasicAuthoritative On
        AuthSaslPwcheckMethod saslauthd
        Require user christy bob dominic
</Directory>



Please, take into account that there is a very useful tool called testsaslauthd
(provided by sasl2-bin package on Debian systems), to check if saslauthd 
(the SASL auth daemon) does indeed authenticate a user using default mechanism.
Turned to be very useful when debuging for a possible auth problem.

root <at> acheron[~]# testsaslauthd -u christy -p mysecretpassword
0: OK "Success."


 -- Ulises Vitulli <uvitulli@fi.uba.ar>  Sun, 30 Nov 2008 03:17:45 -0200