Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
litespeed_wiki:lsmcd:new_sasl [2018/06/06 14:34] Robert Perper [Configuring SASL] |
litespeed_wiki:lsmcd:new_sasl [2019/03/28 12:37] Robert Perper [Configure for PHP] |
||
|---|---|---|---|
| Line 3: | Line 3: | ||
| SASL (Simple Application and Security Layer) is the method used to secure data in LSMCD and Memcached. There are various subtle differences in configuration between the two. This section describes the configuration you need to perform to allow LSMCD to operate in a SASL environment. | SASL (Simple Application and Security Layer) is the method used to secure data in LSMCD and Memcached. There are various subtle differences in configuration between the two. This section describes the configuration you need to perform to allow LSMCD to operate in a SASL environment. | ||
| - | Enabling SASL is database wide. Once SASL is enabled, all non-SASL databases will need to be regenerated. You will also need to regenerate your databases (the files stored in the ''Cached.ShmDir'' parameter of your node.conf file) if you wish to remove SASL. | + | Enabling SASL is database wide. Once SASL is enabled, all non-SASL databases will need to be regenerated. This is only necessary if you ran LSMCD without SASL. Regeneration is done by deleting the files stored in the ''Cached.ShmDir'' parameter of your node.conf file (defaults /dev/shm/lsmcd) and allow them to be recreated. You will also need to regenerate your databases if you wish to remove SASL. |
| + | |||
| + | You can also secure data by user using SASL. See [[litespeed_wiki:lsmcd:sasl_secure_user_data|LSMCD Secure User Data Using SASL]] for details. | ||
| + | |||
| + | As for Memcached, if you enable SASL, text telnet commands will no longer work as there is no security mechanism in telnet. The client program ''memcapable'' will fail all tests as it does not properly handle SASL. If you wish to use this program to validate functionality, a customized version of the program is available in the distribution and can be built using instructions specified in the README. | ||
| ===== Configuring SASL ===== | ===== Configuring SASL ===== | ||
| There are a number steps to configuring LSMCD to operate with SASL: | There are a number steps to configuring LSMCD to operate with SASL: | ||
| - | * Enable SASL in your lsmcd.conf file | + | * Enable SASL in your ''node.conf'' file. |
| * Create and configure a user database. | * Create and configure a user database. | ||
| - | * Any additional configuration. The doc below mentions things you should do for PHP. | + | * Configure any additional settings needed for PHP. |
| ==== Enable SASL in Your Configuration File ==== | ==== Enable SASL in Your Configuration File ==== | ||
| - | This is discussed at [[https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:lsmcd:configuration|lscmd Configuration]] which also discusses overall configuration. | + | This is discussed in [[litespeed_wiki:lsmcd:configuration|LSCMD Configuration]], which also discusses overall configuration. |
| - | In particular you need to specify in your node.conf file: <code>CACHED.USESASL=TRUE</code> | + | In particular you need to specify in your ''node.conf'' file: |
| + | CACHED.USESASL=TRUE | ||
| + | Note that once SASL is enabled, all failed accesses to Memcached functions are going to result in an error being written to the lsmcd log (defaults to ''/tmp/lsmcd.log''). As mentioned above, ASCII and telnet commands are also going to fail as well. | ||
| + | |||
| + | When you change this value, accesses to the existing LSMCD database will fail as the system will detect a mismatch between your prior SASL configuration and your current one. You will need to delete your LSMCD data files: <code>rm -rf /dev/shm/lsmcd</code> | ||
| ==== Create and Configure a User Database ==== | ==== Create and Configure a User Database ==== | ||
| - | It is required that you create a user database. In prior versions there was only one way, using MEMCACHED_SASL_PWDB. However, there is now an additional method, using saslauthd provided as part of Cyrus SASL. This is the recommended method. | + | A user database is required. The recommended method uses saslauthd, which is provided as part of Cyrus SASL to create a sasldb managed database. In prior versions there was only the MEMCACHED_SASL_PWDB environment variable method. |
| - | * sasldb managed database. This is the default method if there is no MEMCACHED_SASL_PWDB defined and no /etc/sasl/sasldb.conf file and is the recommended method as security information is stored encrypted. | + | |
| - | * MEMCACHED_SASL_PWDB database only for lsmcd. | + | |
| No matter the method you choose, you become the security administrator for these accounts. | No matter the method you choose, you become the security administrator for these accounts. | ||
| - | === sasldb managed database === | + | === Option #1 (Recommended): sasldb Managed Database === |
| + | A sasldb database is typically stored in ''/etc/sasldb2'' and is managed using the saslpasswd2 program. You must be root to manage users with saslpasswd2. | ||
| - | A sasldb database is typically stored in /etc/sasldb2 and is managed using the saslpasswd2 program. You must be root to manage users with that program. This is the recommended user database methodology. | + | To create a user named ''user1'' enter ''saslpasswd2 user1''. You will be prompted for the password twice for that user. That information will then need to be coded in your memcached program. Details on the use of saslpasswd2 can be found in numerous places on the internet including [[https://www.gsp.com/cgi-bin/man.cgi?section=8&topic=saslpasswd2|gsp.com]]. |
| - | To create a user named ''user1'' enter ''saslpasswd2 user1''. You will be prompted for the password twice for that user. That information will then need to be coded in your memcached program. Details on the use of saslpasswd2 can be found in numerous places on the internet including: https://www.gsp.com/cgi-bin/man.cgi?section=8&topic=saslpasswd2 | + | You can use either the simple user name or the realm qualified name visible in ''sasldblistusers2'' (the name with the ''@hostname'' appended to it). Note that for user managed data it will use the name specified (which means the realm qualified and unqualified names will be separate). |
| - | === MEMCACHED_SASL_PWDB === | + | === Option #2: MEMCACHED_SASL_PWDB Environment Variable === |
| - | If there is no ''MEMCACHED_SASL_PWDB'' defined, then the default sasl database is /etc/sasl/sasldb.conf and it will be used if it is there. Otherwise, specify the location in the ''MEMCACHED_SASL_PWDB'' environment variable active when lsmcd is started. If for example, you create a file named ''/etc/sasl/sasldb.conf'' you would need to export ''MEMCACHED_SASL_PWDB=/etc/sasl/sasldb.conf'' before starting LSMCD. It is considered good practice to have this file owned by the LSMCD user and readable by only that user (''chmod 600''). | + | If there is no ''MEMCACHED_SASL_PWDB'' defined, then the default SASL database is ''/etc/sasl/sasldb.conf'' and will be used if it exists. To specify the location of the SASL database, export the ''MEMCACHED_SASL_PWDB'' environment variable, which is active when LSMCD is started. |
| - | Each line in your user database is a user name, a colon (:), and a password. For example if you had two users (user and sasluser) you might create a ''/etc/sasl/sasldb.conf'' with the following lines in it: | + | If, for example, you create a file named ''/etc/sasl/sasldb.conf'' you would need to export ''MEMCACHED_SASL_PWDB=/etc/sasl/sasldb.conf'' before starting LSMCD. It is considered good practice to have this file owned by the LSMCD user and readable by only that user (''chmod 600''). |
| - | <code> | + | |
| - | user:password | + | Each line in your user database is a user name, a colon ('':''), and a password. For example if you had two users (user and sasluser) you might create a ''/etc/sasl/sasldb.conf'' with the following lines in it: |
| - | sasluser:saslpassword | + | |
| - | </code> | + | user:password |
| + | sasluser:saslpassword | ||
| You will also need to create a SASL Configuration File if you are using this method. | You will also need to create a SASL Configuration File if you are using this method. | ||
| Line 44: | Line 53: | ||
| == Create and Configure a SASL Configuration File == | == Create and Configure a SASL Configuration File == | ||
| - | A SASL configuration file must be given one of the following names: ''/etc/sasl/memcached.conf'', ''/tmp/memcached.conf'' or you can save it to any file or location that you wish by setting the ''SASL_CONF_PATH'' environment variable to the file name you wish to use. Note that this environment variable must be set in the system environment or in the environment where you started LSMCD (using lsmcdctrl). Regardless of its name or location the LSMCD user must have read permission to access your configuration file. | + | A SASL configuration file must be given one of the following names: ''/etc/sasl/memcached.conf'', ''/tmp/memcached.conf'' or it may be saved to any file or location that you wish via the ''SASL_CONF_PATH'' environment variable. Note that this environment variable must be set in the system environment or in the environment where you started LSMCD (using lsmcdctrl). Regardless of its name or location the LSMCD user must have read permission to access your configuration file. |
| - | In this file there is only one parameter and value supported as of this release: | + | As of v1.2, there is only one parameter and value supported: |
| - | <code>mech_list: PLAIN</code> | + | mech_list: PLAIN |
| - | Other SASL parameters can be specified in this file however, they are not supported by LSMCD as of this release and will generally be ignored. | + | |
| + | Other SASL parameters can be specified in this file however, they are not supported by LSMCD and will generally be ignored. | ||
| ==== Configure for PHP ==== | ==== Configure for PHP ==== | ||
| - | The procedures for the Memcached extension to PHP are documented in: [[http://php.net/manual/en/memcached.setup.php]]. You know you have it right if phpinfo displays a ''memcached'' section. | + | The procedures for the Memcached extension to PHP are documented at [[http://php.net/manual/en/memcached.setup.phpphp.net]]. You know you have it right if ''phpinfo'' displays a **Memcached** section. |
| The following is a sample PHP script you could create (named ''memcached.php'') to validate that LSMCD is correctly installed and configured to work with SASL. You'll need to place it in the HTML directory of your server and adjust the user/password and other settings for your environment. | The following is a sample PHP script you could create (named ''memcached.php'') to validate that LSMCD is correctly installed and configured to work with SASL. You'll need to place it in the HTML directory of your server and adjust the user/password and other settings for your environment. | ||
| Line 64: | Line 74: | ||
| <?php | <?php | ||
| $mem_var = new Memcached(); | $mem_var = new Memcached(); | ||
| - | $mem_var->setSaslAuthData('user', 'password'); | ||
| $mem_var->setOption(Memcached::OPT_BINARY_PROTOCOL, true); | $mem_var->setOption(Memcached::OPT_BINARY_PROTOCOL, true); | ||
| $mem_var->setOption(Memcached::OPT_COMPRESSION, false); | $mem_var->setOption(Memcached::OPT_COMPRESSION, false); | ||
| + | $mem_var->setSaslAuthData('user', 'password'); | ||
| $mem_var->addServer("127.0.0.1", 11211); | $mem_var->addServer("127.0.0.1", 11211); | ||
| $response = $mem_var->get("SampleKey"); | $response = $mem_var->get("SampleKey"); | ||