QPID-648: Patch from Matt Farrellee

- support for realms
- updates to packaging to create a default db and the necessary conf files for plain and anon



git-svn-id: https://svn.apache.org/repos/asf/incubator/qpid/trunk@654902 13f79535-47bb-0310-9956-ffa450edef68

2 files changed, 58 insertions, 0 deletions

diff --git a/qpid/cpp/etc/Makefile.am b/qpid/cpp/etc/Makefile.am
new file mode 100644
index 0000000000..34a1a0062d
--- /dev/null
+++ b/qpid/cpp/etc/Makefile.am
@@ -0,0 +1,34 @@
+SASL_CONF = sasl2/qpidd.conf
+
+EXTRA_DIST = \
+	$(SASL_CONF) \
+	qpidd qpidd.conf
+
+nobase_sysconf_DATA = \
+	qpidd.conf
+
+if HAVE_SASL
+SASL_DB = sasl2/qpidd.sasldb
+
+nobase_sysconf_DATA += \
+	$(SASL_CONF)
+
+sasldbdir = $(localstatedir)/lib/qpidd
+sasldb_DATA = $(SASL_DB)
+
+# Setup the default sasldb file with a single user, guest, with an
+# obvious password. This user and password are the default for many
+# clients.
+#
+# The realm specified by -u is very important, and QPID is the default
+# for the broker so we use it here. The realm is important because it
+# defaults to the local hostname of the machine running the
+# broker. This may not seem to bad at first glance, but it means that
+# the sasldb has to be tailored to each machine that would be running
+# a broker, and if the machine ever changed its name the
+# authentication would stop working until the sasldb was updated. For
+# these reasons we always want the broker to specify a realm where its
+# users live, and we want the users to exist in that realm as well.
+$(SASL_DB):
+	echo guest | /usr/sbin/saslpasswd2 -c -p -f $(SASL_DB) -u QPID guest
+endif
diff --git a/qpid/cpp/etc/sasl2/qpidd.conf b/qpid/cpp/etc/sasl2/qpidd.conf
new file mode 100644
index 0000000000..42466b60cb
--- /dev/null
+++ b/qpid/cpp/etc/sasl2/qpidd.conf
@@ -0,0 +1,24 @@
+#
+# This configuation allows for either SASL PLAIN or ANONYMOUS
+# authentication. The PLAIN authentication is done on a
+# username+password, which is stored in the sasldb_path
+# file. Usernames and passwords can be added to the file using the
+# command:
+#
+#   saslpasswd2 -f /var/lib/qpidd/qpidd.sasldb -u <REALM> <USER>
+#
+# The REALM is important and should be the same as the --auth-realm
+# option to the broker. This lets the broker properly find the user in
+# the sasldb file.
+#
+# Existing user accounts may be listed with:
+#
+#   sasldblistusers2 -f /var/lib/qpidd/qpidd.sasldb
+#
+# NOTE: The sasldb file must be readable by the user running the qpidd
+# daemon, and should be readable only by that user.
+#
+mech_list: plain anonymous
+pwcheck_method: auxprop
+auxprop_plugin: sasldb
+sasldb_path: /var/lib/qpidd/qpidd.sasldb