reallyenglish.cyrus-sasl
ansible-role-cyrus-sasl
This role installs cyrus-sasl, saslauthd, and sets up users in the SASL database file. It only supports local SASL database and saslauthd. If you need other types of back-end systems, this role won't work for you.
sasl_check_pw
This role includes a Python script that checks a user's password. The script is placed in /usr/local/bin across all platforms. Since there's no way to verify if a password defined in a role variable matches the password in the database, the script reads the cyrus_sasl_sasldb_file to find the user and their password. It expects the cyrus_sasl_sasldb_file to be in dbm format.
sasl_check_pw path user domain
Here, path is the location of the cyrus_sasl_sasldb_file, user is the username in that file, and domain is the user's domain name. You should set the password to check in an environment variable called userPassword. If the password matches the one in the database, the script will print matched to the standard output. If it does not match, it will print does not match. The script needs to be run by a user who has read access to the cyrus_sasl_sasldb_file.
Requirements
No specific requirements.
Role Variables
| Variable | Description | Default |
|---|---|---|
cyrus_sasl_package |
The package name of cyrus-sasl |
{{ __cyrus_sasl_package }} |
cyrus_sasl_saslauthd_service |
The service name of saslauthd |
{{ __cyrus_sasl_saslauthd_service }} |
cyrus_sasl_saslauthd_enable |
Set to yes to enable saslauthd |
yes |
cyrus_sasl_saslauthd_flags |
Dictionary of service variables and their values | {} |
cyrus_sasl_saslauthd_flags_default |
Default values for service variables | {{ __cyrus_sasl_saslauthd_flags_default }} |
cyrus_sasl_plugin_dir |
Directory for plugin configurations | {{ __cyrus_sasl_plugin_dir }} |
cyrus_sasl_saslpassword_command |
Command to manage user passwords | {{ __cyrus_sasl_saslpassword_command }} |
cyrus_sasl_sasldblistusers_command |
Command to list users in the database | {{ __cyrus_sasl_sasldblistusers_command }} |
cyrus_sasl_sasldb_file |
Path to the SASL database file | {{ __cyrus_sasl_sasldb_file }} |
cyrus_sasl_sasldb_owner |
Owner of the SASL database file | root |
cyrus_sasl_sasldb_group |
Group for the SASL database file | {{ __cyrus_sasl_sasldb_group }} |
cyrus_sasl_sasldb_file_permission |
File permissions for the SASL database file | {{ __cyrus_sasl_sasldb_file_permission }} |
cyrus_sasl_config |
Dictionary of application configurations | {} |
cyrus_sasl_user |
Dictionary of users in the SASL database | {} |
cyrus_sasl_saslauthd_flags
This variable is a dictionary of configuration variables for startup files like those found under /etc/default, /etc/sysconfig, and /etc/rc.conf.d. It assumes these files are read by the startup system using sh(1). Each key in the dictionary is a variable name in the file, and its value is the corresponding value. The variable combines with another variable with the same name but ending with _default (explained below) to create the startup configuration file.
For OpenBSD, only the key flags is valid, and its value goes to daemon_flags in rc.conf(5), where daemon is the name of a script that controls an rc.d(8) daemon.
cyrus_sasl_saslauthd_flags_default
This variable contains default key-value pairs from the upstream configuration and should remain constant unless absolutely necessary to change. By default, the role creates a startup configuration file for each platform based on this variable, identical to the default settings.
For OpenBSD, this variable only has a single key, flags, with an empty string as its value.
cyrus_sasl_config
The key represents the application name. The value is a dictionary where each key is a variable name and its value is the corresponding value. Example:
cyrus_sasl_config:
myapp:
pwcheck_method: saslauthd
cyrus_sasl_user
The key is the username, and its value is a dictionary.
| Key | Value |
|---|---|
domain |
The user's domain |
password |
The user's password |
appname |
The application name for the user |
state |
Either present (to create the user) or absent (to delete the user) |
Example:
cyrus_sasl_user:
foo:
domain: reallyenglish.com
password: password
appname: argus
state: present
Debian-Specific Variables
| Variable | Default |
|---|---|
__cyrus_sasl_package |
libsasl2-2 |
__cyrus_sasl_saslauthd_service |
saslauthd |
__cyrus_sasl_saslauthd_flags_default |
{"MECHANISMS"=>"pam", "MECH_OPTIONS"=>"", "THREADS"=>5, "OPTIONS"=>"-c -m /var/run/saslauthd"} |
__cyrus_sasl_plugin_dir |
/usr/lib/sasl2 |
__cyrus_sasl_saslpassword_command |
saslpasswd2 |
__cyrus_sasl_sasldblistusers_command |
sasldblistusers2 |
__cyrus_sasl_sasldb_file |
/etc/sasldb2 |
__cyrus_sasl_sasldb_file_permission |
0660 |
__cyrus_sasl_sasldb_group |
root |
FreeBSD-Specific Variables
| Variable | Default |
|---|---|
__cyrus_sasl_package |
cyrus-sasl |
__cyrus_sasl_saslauthd_service |
saslauthd |
__cyrus_sasl_saslauthd_flags_default |
{} |
__cyrus_sasl_plugin_dir |
/usr/local/lib/sasl2 |
__cyrus_sasl_saslpassword_command |
saslpasswd2 |
__cyrus_sasl_sasldblistusers_command |
sasldblistusers2 |
__cyrus_sasl_sasldb_file |
/usr/local/etc/sasldb2 |
__cyrus_sasl_sasldb_file_permission |
600 |
__cyrus_sasl_sasldb_group |
wheel |
OpenBSD-Specific Variables
| Variable | Default |
|---|---|
__cyrus_sasl_package |
cyrus-sasl-- |
__cyrus_sasl_saslauthd_service |
saslauthd |
__cyrus_sasl_saslauthd_flags_default |
{"flags"=>"-a getpwent"} |
__cyrus_sasl_plugin_dir |
/usr/local/lib/sasl2 |
__cyrus_sasl_saslpassword_command |
saslpasswd2 |
__cyrus_sasl_sasldblistusers_command |
sasldblistusers2 |
__cyrus_sasl_sasldb_file |
/etc/sasldb2 |
__cyrus_sasl_sasldb_file_permission |
600 |
__cyrus_sasl_sasldb_group |
wheel |
RedHat-Specific Variables
| Variable | Default |
|---|---|
__cyrus_sasl_package |
cyrus-sasl |
__cyrus_sasl_saslauthd_service |
saslauthd |
__cyrus_sasl_saslauthd_flags_default |
{"SOCKETDIR"=>"/run/saslauthd", "MECH"=>"pam", "FLAGS"=>""} |
__cyrus_sasl_plugin_dir |
/usr/lib64/sasl2 |
__cyrus_sasl_saslpassword_command |
saslpasswd2 |
__cyrus_sasl_sasldblistusers_command |
sasldblistusers2 |
__cyrus_sasl_sasldb_file |
/etc/sasldb2 |
__cyrus_sasl_sasldb_file_permission |
0640 |
__cyrus_sasl_sasldb_group |
root |
Dependencies
No dependencies.
Example Playbook
- hosts: localhost
roles:
- ansible-role-cyrus-sasl
vars:
cyrus_sasl_user:
foo:
domain: reallyenglish.com
password: password
appname: argus
state: present
cyrus_sasl_config:
myapp:
pwcheck_method: saslauthd
argus:
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: DIGEST-MD5
cyrus_sasl_sasldb_group: "{% if ansible_os_family == 'Debian' %}nogroup{% else %}nobody{% endif %}"
cyrus_sasl_sasldb_file_permission: "0640"
extra_variables_debian:
THREADS: 6
extra_variables_redhat:
FLAGS: -n 6
extra_variables_freebsd:
saslauthd_flags: -a pam -n 6
extra_variables_openbsd:
flags: -a getpwent -n 6
cyrus_sasl_saslauthd_flags: "{% if ansible_os_family == 'Debian' %}{{ extra_variables_debian }}{% elif ansible_os_family == 'RedHat' %}{{ extra_variables_redhat }}{% elif ansible_os_family == 'FreeBSD' %}{{ extra_variables_freebsd }}{% elif ansible_os_family == 'OpenBSD' %}{{ extra_variables_openbsd }}{% endif %}"
License
Copyright (c) 2017 Tomoyuki Sakurai <[email protected]>
You can use, copy, modify, and share this software for any purpose, for free, as long as you include this copyright and permission notice in any copies.
THE SOFTWARE IS PROVIDED "AS IS", AND THE AUTHOR DISCLAIMS ALL WARRANTIES. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DAMAGES RESULTING FROM THE USE OF THIS SOFTWARE.
Author Information
Tomoyuki Sakurai tomoyukis@reallyenglish.com
This README was created by qansible