diff options
| author | Michael Goulish <mgoulish@apache.org> | 2012-08-24 15:22:04 +0000 |
|---|---|---|
| committer | Michael Goulish <mgoulish@apache.org> | 2012-08-24 15:22:04 +0000 |
| commit | f529f73bc691aa622ab6af34cbbda84301baa6a1 (patch) | |
| tree | 655eeed832389d187d1826c21b751054b2c2128e /qpid/cpp | |
| parent | 2c5d0ff2702109d419511a83a5ece876885e8839 (diff) | |
| download | qpid-python-f529f73bc691aa622ab6af34cbbda84301baa6a1.tar.gz | |
QPID-4244 : expand broker mech list in sasl config file.
in The file /etc/sasl2/qpidd.conf, expand the list to:
ANONYMOUS DIGEST-MD5 EXTERNAL PLAIN
and improve the comments.
git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1376958 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'qpid/cpp')
| -rw-r--r-- | qpid/cpp/etc/sasl2/qpidd.conf | 30 |
1 files changed, 16 insertions, 14 deletions
diff --git a/qpid/cpp/etc/sasl2/qpidd.conf b/qpid/cpp/etc/sasl2/qpidd.conf index 0872bc251b..3d13a6d650 100644 --- a/qpid/cpp/etc/sasl2/qpidd.conf +++ b/qpid/cpp/etc/sasl2/qpidd.conf @@ -18,33 +18,31 @@ # # #--------------------------------- -# Mechanisms and Users +# SASL Mechanisms and Users #--------------------------------- # -# This default qpidd configuration allows for only SASL ANONYMOUS authentication. -# To additionally enable DIGEST-MD5 authentication: -# -# 1. edit the mech_list below to read -# mech_list: DIGEST-MD5 ANONYMOUS -# -# 2. To add new a new user+password to the sasldb file: -# echo $PASSWD | saslpasswd2 -c -p -f $SASLTEST_DB -u QPID $USERNAME +# This default mech list allows for PLAIN, but that +# mechanism sends credentials in the clear, and is normally +# only used along with SSL transport-layer security. # +# This default also permits DIGEST-MD5, but you must have +# a user and password defined in your sasldb file to use +# this mechanism. ( See notes below. ) # # PLEASE NOTE # For production messaging systems, a high-security mechanism such as -# DIGEST-MD5 or PLAIN+SSL should be enabled. +# DIGEST-MD5 or PLAIN+SSL should be used. # # pwcheck_method: auxprop auxprop_plugin: sasldb sasldb_path: /var/lib/qpidd/qpidd.sasldb -mech_list: ANONYMOUS +mech_list: ANONYMOUS DIGEST-MD5 EXTERNAL PLAIN #--------------------------------- -# Other Notes +# Please Note #--------------------------------- # # 1. If you use a nonstandard location for your sasl_config directory, @@ -60,15 +58,19 @@ mech_list: ANONYMOUS # /var/lib/qpidd/qpidd.sasldb # # 3. You can see what usernames have been stored in the sasldb, with the -# sasldblistusers2 command. +# command "sasldblistusers2 -f /var/lib/qpidd/qpidd.sasldb" # # 4. The REALM is important and should be the same as the --realm # option to the broker. This lets the broker properly find the user in # the sasldb file. # # 5. The sasldb file must be readable by the user running the qpidd -# daemon, and should be readable only by that user. +# daemon, ( the user name is qpidd ) and should be readable only +# by that user. # +# 6. The EXTERNAL mechanism allows you to use SSL transport layer +# security. In that case, you can also set the broker option +# --ssl-require-client-authentication . |