The /etc/sasl/appname.conf file is a user-supplied
configuration file that supports user set options for server
applications.
You can modify the behavior of libsasl and its plug-ins for
server applications by specifying option values in
/etc/sasl/appname.conf file, where appname is the
application defined name of the application. For sendmail, the file
would be /etc/sasl/Sendmail.conf. See your application documentation
for information on the application name.
Options that you set in a appname.conf file do not
override SASL options specified by the application itself.
The format for each option setting is:
option_name:value.
You can comment lines in the file by using a leading #.
The SASL library supports the following options for server
applications:
auto_transition
When set to yes, plain users and login plug-ins
are automatically transitioned to other mechanisms when they do a successful
plaintext authentication. The default value for auto_transition is
no.
auxprop_plugin
A space-separated list of names of auxiliary property
plug-ins to use. By default, SASL will use or query all available auxiliary
property plug-ins.
canon_user_plugin
The name of the canonical user plug-in to use. By
default, the value of canon_user_plugin is INTERNAL, to indicate
the use of built-in plug-ins.
log_level
An integer value for the desired level of logging for a
server, as defined in <sasl.h>. This sets the log_level in
the sasl_server_params_t struct in
/usr/include/sasl/saslplug.h. The default value for log_level is
1 to indicate SASL_LOG_ERR.
mech_list
Whitespace separated list of SASL mechanisms to allow,
for example, DIGEST-MD5 GSSAPI. The mech_list option is used to
restrict the mechanisms to a subset of the installed plug-ins. By default,
SASL will use all available mechanisms.
pw_check
Whitespace separated list of mechanisms used to verify
passwords that are used by
sasl_checkpass(3SASL). The default value for
pw_check is
auxprop.
reauth_timeout
This SASL option is used by the server DIGEST-MD5
plug-in. The value of reauth_timeout is the length in time (in minutes)
that authentication information will be cached for a fast reauthorization. A
value of 0 will disable reauthorization. The default value of
reauth_timeout is 1440 (24 hours).
server_load_mech_list
A space separated list of mechanisms to load. If in the
process of loading server plug-ns no desired mechanisms are included in the
plug-in, the plug-in will be unloaded. By default, SASL loads all server
plug-ins.
user_authid
If the value of user_authid is yes, then
the GSSAPI will acquire the client credentials rather than use the default
credentials when it creates the GSS client security context. The default value
of user_authid is no, whereby SASL uses the default client
Kerberos identity.