I am removing DIGEST-MD5 from the mech list, because we cannot supply

a username+passwd in the sasldb file without introducing a security hole
to production systems.
So now the only mech is ANONYMOUS -- and lots of changes to the comments 
to make it clear how to enable MD5 and how to add username+passwd for it.
Also, one of the broker options that was mentioned in the old text was 
archaic -- updated that.


git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1197178 13f79535-47bb-0310-9956-ffa450edef68

1 files changed, 50 insertions, 16 deletions

diff --git a/qpid/cpp/etc/sasl2/qpidd.conf b/qpid/cpp/etc/sasl2/qpidd.conf
index d766cb8ef8..0872bc251b 100644
--- a/qpid/cpp/etc/sasl2/qpidd.conf
+++ b/qpid/cpp/etc/sasl2/qpidd.conf
@@ -17,30 +17,64 @@
 # under the License.
 #
 #
-# This configuation allows for either SASL ANONYMOUS or DIGEST-MD5
-# authentication. The DIGEST-MD5 authentication is done on a
-# username+password, which is stored in the sasldb_path
-# file. Usernames and passwords can be added to the file using the
-# command:
+#---------------------------------
+# Mechanisms and Users
+#---------------------------------
 #
-#   saslpasswd2 -f /var/lib/qpidd/qpidd.sasldb -u <REALM> <USER>
+# This default qpidd configuration allows for only SASL ANONYMOUS authentication. 
+# To additionally enable DIGEST-MD5 authentication:
 #
-# The REALM is important and should be the same as the --auth-realm
-# option to the broker. This lets the broker properly find the user in
-# the sasldb file.
+# 1. edit the mech_list below to read   
+#      mech_list: DIGEST-MD5 ANONYMOUS
 #
-# Existing user accounts may be listed with:
+# 2. To add new a new user+password to the sasldb file:
+#      echo $PASSWD | saslpasswd2 -c -p -f $SASLTEST_DB -u QPID $USERNAME
 #
-#   sasldblistusers2 -f /var/lib/qpidd/qpidd.sasldb
 #
-# NOTE: The sasldb file must be readable by the user running the qpidd
-# daemon, and should be readable only by that user.
+#                              PLEASE NOTE 
+#  For production messaging systems, a high-security mechanism such as
+#  DIGEST-MD5 or PLAIN+SSL should be enabled.
+#
 #
 pwcheck_method: auxprop
 auxprop_plugin: sasldb
 sasldb_path: /var/lib/qpidd/qpidd.sasldb
-mech_list: DIGEST-MD5 ANONYMOUS
+mech_list: ANONYMOUS
+
 
-#following line stops spurious 'sql_select option missing' errors when
-#cyrus-sql-sasl plugin is installed
+
+#---------------------------------
+# Other Notes
+#---------------------------------
+#
+# 1. If you use a nonstandard location for your sasl_config directory,
+#    you can point qpidd to it by using the --sasl-config option.
+#    If your nonstandard sasl directory is $MY_SASL_DIR, put a copy
+#    of this file at $MY_SASL_DIR/qpidd.conf, alter the mech list as 
+#    appropriate for your installation, and then use the saslpasswd2 
+#    command to add new user+passwd pairs:
+#      echo $PASSWD | saslpasswd2 -c -p -f $MY_SASL_DIR/qpidd.sasldb -u QPID $USERNAME
+#    
+#
+# 2. The standard location for the qpidd sasldb file is 
+#       /var/lib/qpidd/qpidd.sasldb
+#
+# 3. You can see what usernames have been stored in the sasldb, with the
+#    sasldblistusers2 command.
+#
+# 4. The REALM is important and should be the same as the --realm
+#    option to the broker. This lets the broker properly find the user in
+#    the sasldb file.
+#
+# 5. The sasldb file must be readable by the user running the qpidd
+#    daemon, and should be readable only by that user.
+#
+
+
+
+# The following line stops spurious 'sql_select option missing' errors when
+# cyrus-sql-sasl plugin is installed
 sql_select: dummy select
+
+
+