Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
litespeed_wiki:lsmcd:new_sasl [2018/06/27 15:27] Robert Perper [Create and Configure a User Database] |
litespeed_wiki:lsmcd:new_sasl [2019/03/28 12:37] Robert Perper [Configure for PHP] |
||
|---|---|---|---|
| Line 5: | Line 5: | ||
| Enabling SASL is database wide. Once SASL is enabled, all non-SASL databases will need to be regenerated. This is only necessary if you ran LSMCD without SASL. Regeneration is done by deleting the files stored in the ''Cached.ShmDir'' parameter of your node.conf file (defaults /dev/shm/lsmcd) and allow them to be recreated. You will also need to regenerate your databases if you wish to remove SASL. | Enabling SASL is database wide. Once SASL is enabled, all non-SASL databases will need to be regenerated. This is only necessary if you ran LSMCD without SASL. Regeneration is done by deleting the files stored in the ''Cached.ShmDir'' parameter of your node.conf file (defaults /dev/shm/lsmcd) and allow them to be recreated. You will also need to regenerate your databases if you wish to remove SASL. | ||
| - | You can also secure data by user using SASL. See https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:lsmcd:sasl_secure_user_data for details. | + | You can also secure data by user using SASL. See [[litespeed_wiki:lsmcd:sasl_secure_user_data|LSMCD Secure User Data Using SASL]] for details. |
| - | As for memcached, if you enable SASL, text telnet commands will no longer work as there is no security mechanism in telnet. The client program ''memcapable'' will fail all tests as it does not properly handle SASL. If you wish to use this program to validate functionality, a customized version of the program is available in the distribution and can be built using instructions specified in the README. | + | As for Memcached, if you enable SASL, text telnet commands will no longer work as there is no security mechanism in telnet. The client program ''memcapable'' will fail all tests as it does not properly handle SASL. If you wish to use this program to validate functionality, a customized version of the program is available in the distribution and can be built using instructions specified in the README. |
| ===== Configuring SASL ===== | ===== Configuring SASL ===== | ||
| There are a number steps to configuring LSMCD to operate with SASL: | There are a number steps to configuring LSMCD to operate with SASL: | ||
| - | * Enable SASL in your ''lsmcd.conf'' file. | + | * Enable SASL in your ''node.conf'' file. |
| * Create and configure a user database. | * Create and configure a user database. | ||
| * Configure any additional settings needed for PHP. | * Configure any additional settings needed for PHP. | ||
| Line 23: | Line 23: | ||
| CACHED.USESASL=TRUE | CACHED.USESASL=TRUE | ||
| - | Note that once SASL is enabled, failed accesses to all memcached functions are going to fail with an error written to the lsmcd log (defaults to /tmp/lsmcd.log). As mentioned above, ASCII and telnet commands are also going to fail as well. | + | Note that once SASL is enabled, all failed accesses to Memcached functions are going to result in an error being written to the lsmcd log (defaults to ''/tmp/lsmcd.log''). As mentioned above, ASCII and telnet commands are also going to fail as well. |
| + | |||
| + | When you change this value, accesses to the existing LSMCD database will fail as the system will detect a mismatch between your prior SASL configuration and your current one. You will need to delete your LSMCD data files: <code>rm -rf /dev/shm/lsmcd</code> | ||
| ==== Create and Configure a User Database ==== | ==== Create and Configure a User Database ==== | ||
| A user database is required. The recommended method uses saslauthd, which is provided as part of Cyrus SASL to create a sasldb managed database. In prior versions there was only the MEMCACHED_SASL_PWDB environment variable method. | A user database is required. The recommended method uses saslauthd, which is provided as part of Cyrus SASL to create a sasldb managed database. In prior versions there was only the MEMCACHED_SASL_PWDB environment variable method. | ||
| Line 34: | Line 37: | ||
| To create a user named ''user1'' enter ''saslpasswd2 user1''. You will be prompted for the password twice for that user. That information will then need to be coded in your memcached program. Details on the use of saslpasswd2 can be found in numerous places on the internet including [[https://www.gsp.com/cgi-bin/man.cgi?section=8&topic=saslpasswd2|gsp.com]]. | To create a user named ''user1'' enter ''saslpasswd2 user1''. You will be prompted for the password twice for that user. That information will then need to be coded in your memcached program. Details on the use of saslpasswd2 can be found in numerous places on the internet including [[https://www.gsp.com/cgi-bin/man.cgi?section=8&topic=saslpasswd2|gsp.com]]. | ||
| - | If when using LSMCD and if you get a ''user not found'' error, you may need to qualify the username with the machine name. For example, if your computer was named machine, specify: ''user1@machine''. ''sasldblistusers2'' can provide you a complete list of fully qualified user names. | + | You can use either the simple user name or the realm qualified name visible in ''sasldblistusers2'' (the name with the ''@hostname'' appended to it). Note that for user managed data it will use the name specified (which means the realm qualified and unqualified names will be separate). |
| === Option #2: MEMCACHED_SASL_PWDB Environment Variable === | === Option #2: MEMCACHED_SASL_PWDB Environment Variable === | ||
| Line 71: | Line 74: | ||
| <?php | <?php | ||
| $mem_var = new Memcached(); | $mem_var = new Memcached(); | ||
| - | $mem_var->setSaslAuthData('user', 'password'); | ||
| $mem_var->setOption(Memcached::OPT_BINARY_PROTOCOL, true); | $mem_var->setOption(Memcached::OPT_BINARY_PROTOCOL, true); | ||
| $mem_var->setOption(Memcached::OPT_COMPRESSION, false); | $mem_var->setOption(Memcached::OPT_COMPRESSION, false); | ||
| + | $mem_var->setSaslAuthData('user', 'password'); | ||
| $mem_var->addServer("127.0.0.1", 11211); | $mem_var->addServer("127.0.0.1", 11211); | ||
| $response = $mem_var->get("SampleKey"); | $response = $mem_var->get("SampleKey"); | ||