3.71. <AuthBy SASLAUTHD> Previous topic Parent topic Child topic Next topic

This clause authenticates against a saslauthd server running on the same host as Radiator. Saslauthd is a Unix authentication server program, part of the Cyrus SASL suite. It can be configured to authenticate from a variety of sources, including PAM, Kerberos, DCE, shadow password files, IMAP, LDAP, SIA or a special SASL user password file. It is part of the Cyrus SASL suite.
AuthBy SASLAUTHD connects to the saslauthd server over a UNIX domain socket. It sends the username, plaintext password, realm and a service name to saslauthd. Saslauthd then authenticates the user using whatever method it has been configured to use and then sends the response back to AuthBy SASLAUTHD.
Requires that saslauthd be installed, configured and running on the Radiator host.
You can run saslauthd with the -d flag to get a fairly detailed log of what it is doing printed to stdout. This can be helpful determining why authentication is failing.
AuthBy SASLAUTHD is synchronous: it waits until saslauthd responds to an authentication request before sending a RADIUS response to the NAS. Some authentication methods implemented by saslauthd are slow. For example PAM will wait several seconds before responding if the password is incorrect (this part of the normal behaviour of PAM; it discourages brute force cracking of passwords).