Author: mgoulish
Date: Thu Nov 3 15:15:45 2011
New Revision: 1197178
URL: http://svn.apache.org/viewvc?rev=1197178&view=rev
Log:
I am removing DIGEST-MD5 from the mech list, because we cannot supply
a username+passwd in the sasldb file without introducing a security hole
to production systems.
So now the only mech is ANONYMOUS -- and lots of changes to the comments
to make it clear how to enable MD5 and how to add username+passwd for it.
Also, one of the broker options that was mentioned in the old text was
archaic -- updated that.
Modified:
qpid/trunk/qpid/cpp/etc/sasl2/qpidd.conf
Modified: qpid/trunk/qpid/cpp/etc/sasl2/qpidd.conf
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/etc/sasl2/qpidd.conf?rev=1197178&r1=1197177&r2=1197178&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/etc/sasl2/qpidd.conf (original)
+++ qpid/trunk/qpid/cpp/etc/sasl2/qpidd.conf Thu Nov 3 15:15:45 2011
@@ -17,30 +17,64 @@
# under the License.
#
#
-# This configuation allows for either SASL ANONYMOUS or DIGEST-MD5
-# authentication. The DIGEST-MD5 authentication is done on a
-# username+password, which is stored in the sasldb_path
-# file. Usernames and passwords can be added to the file using the
-# command:
+#---------------------------------
+# Mechanisms and Users
+#---------------------------------
#
-# saslpasswd2 -f /var/lib/qpidd/qpidd.sasldb -u <REALM> <USER>
+# This default qpidd configuration allows for only SASL ANONYMOUS
authentication.
+# To additionally enable DIGEST-MD5 authentication:
#
-# The REALM is important and should be the same as the --auth-realm
-# option to the broker. This lets the broker properly find the user in
-# the sasldb file.
+# 1. edit the mech_list below to read
+# mech_list: DIGEST-MD5 ANONYMOUS
#
-# Existing user accounts may be listed with:
+# 2. To add new a new user+password to the sasldb file:
+# echo $PASSWD | saslpasswd2 -c -p -f $SASLTEST_DB -u QPID $USERNAME
#
-# sasldblistusers2 -f /var/lib/qpidd/qpidd.sasldb
#
-# NOTE: The sasldb file must be readable by the user running the qpidd
-# daemon, and should be readable only by that user.
+# PLEASE NOTE
+# For production messaging systems, a high-security mechanism such as
+# DIGEST-MD5 or PLAIN+SSL should be enabled.
+#
#
pwcheck_method: auxprop
auxprop_plugin: sasldb
sasldb_path: /var/lib/qpidd/qpidd.sasldb
-mech_list: DIGEST-MD5 ANONYMOUS
+mech_list: ANONYMOUS
+
+
+
+#---------------------------------
+# Other Notes
+#---------------------------------
+#
+# 1. If you use a nonstandard location for your sasl_config directory,
+# you can point qpidd to it by using the --sasl-config option.
+# If your nonstandard sasl directory is $MY_SASL_DIR, put a copy
+# of this file at $MY_SASL_DIR/qpidd.conf, alter the mech list as
+# appropriate for your installation, and then use the saslpasswd2
+# command to add new user+passwd pairs:
+# echo $PASSWD | saslpasswd2 -c -p -f $MY_SASL_DIR/qpidd.sasldb -u QPID
$USERNAME
+#
+#
+# 2. The standard location for the qpidd sasldb file is
+# /var/lib/qpidd/qpidd.sasldb
+#
+# 3. You can see what usernames have been stored in the sasldb, with the
+# sasldblistusers2 command.
+#
+# 4. The REALM is important and should be the same as the --realm
+# option to the broker. This lets the broker properly find the user in
+# the sasldb file.
+#
+# 5. The sasldb file must be readable by the user running the qpidd
+# daemon, and should be readable only by that user.
+#
-#following line stops spurious 'sql_select option missing' errors when
-#cyrus-sql-sasl plugin is installed
+
+
+# The following line stops spurious 'sql_select option missing' errors when
+# cyrus-sql-sasl plugin is installed
sql_select: dummy select
+
+
+
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:[email protected]
