Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
litespeed_wiki:lsmcd:new_sasl [2018/07/24 15:46]
Lisa Clarke Proofreading
litespeed_wiki:lsmcd:new_sasl [2019/11/27 14:32] (current)
Robert Perper [Enable SASL in Your Configuration File]
Line 8: Line 8:
  
 As for Memcached, if you enable SASL, text telnet commands will no longer work as there is no security mechanism in telnet. ​ The client program ''​memcapable''​ will fail all tests as it does not properly handle SASL.  If you wish to use this program to validate functionality,​ a customized version of the program is available in the distribution and can be built using instructions specified in the README. As for Memcached, if you enable SASL, text telnet commands will no longer work as there is no security mechanism in telnet. ​ The client program ''​memcapable''​ will fail all tests as it does not properly handle SASL.  If you wish to use this program to validate functionality,​ a customized version of the program is available in the distribution and can be built using instructions specified in the README.
 +
 +To allow existing programs to run with SASL enabled, the Anonymous user, described in [[litespeed_wiki:​lsmcd:​sasl_secure_user_data|LSMCD Secure User Data Using SASL]] will allow ASCII and telnet access to an independent data area.
  
 ===== Configuring SASL ===== ===== Configuring SASL =====
Line 23: Line 25:
   CACHED.USESASL=TRUE   CACHED.USESASL=TRUE
  
-Note that once SASL is enabled, all failed accesses to Memcached functions are going to result in an error being written to the lsmcd log (defaults to ''/​tmp/​lsmcd.log''​). ​ As mentioned above, ASCII and telnet commands are also going to fail as well.+Note that once SASL is enabled, all failed accesses to Memcached functions are going to result in an error being written to the lsmcd log (defaults to ''/​tmp/​lsmcd.log''​). ​ As mentioned above, ASCII and telnet commands are also going to fail as well (unless the Anonymous user feature is enabled). 
 + 
 +When you change this value, accesses to the existing LSMCD database will fail as the system will detect a mismatch between your prior SASL configuration and your current one.  You will need to delete your LSMCD data files: <​code>​rm -rf /​dev/​shm/​lsmcd</​code>​
  
 ==== Create and Configure a User Database ==== ==== Create and Configure a User Database ====
-A user database is required. The recommended method uses saslauthd, which is provided as part of Cyrus SASL to create a sasldb managed database. ​In prior versions there was only the MEMCACHED_SASL_PWDB environment variable method +A user database is required. The recommended method uses Cyrus SASL to create a sasldb managed database. ​Note that you become ​the security administrator for these accounts.
  
-No matter the method you choose, you become the security administrator for these accounts. 
- 
-=== Option #1 (Recommended):​ sasldb Managed Database === 
 A sasldb database is typically stored in ''/​etc/​sasldb2''​ and is managed using the saslpasswd2 program. ​ You must be root to manage users with saslpasswd2. A sasldb database is typically stored in ''/​etc/​sasldb2''​ and is managed using the saslpasswd2 program. ​ You must be root to manage users with saslpasswd2.
  
Line 37: Line 38:
 You can use either the simple user name or the realm qualified name visible in ''​sasldblistusers2''​ (the name with the ''​@hostname''​ appended to it).  Note that for user managed data it will use the name specified (which means the realm qualified and unqualified names will be separate). You can use either the simple user name or the realm qualified name visible in ''​sasldblistusers2''​ (the name with the ''​@hostname''​ appended to it).  Note that for user managed data it will use the name specified (which means the realm qualified and unqualified names will be separate).
  
-=== Option #2: MEMCACHED_SASL_PWDB Environment Variable ​=== +==== Creating a User Database Just for LSMCD ==== 
-If there is no ''​MEMCACHED_SASL_PWDB''​ defined, then the default SASL database is ''/​etc/​sasl/​sasldb.conf''​ and will be used if it exists.  ​To specify the location of the SASL database, export the ''​MEMCACHED_SASL_PWDB''​ environment variable, ​which is active when LSMCD is started+The sasldb database must have permissions which allow the LSMCD user read access to it (typically 640 in most environments).  ​Since this allows read access to any user in the root group, this may not meet your security requirements. ​ This can be circumvented by creating a SASL managed ​database which is accessible only to the LSMCD user.
  
-Iffor example, ​you create a file named ''​/etc/sasl/​sasldb.conf''​ you would need to export ''​MEMCACHED_SASL_PWDB=/​etc/​sasl/​sasldb.conf''​ before starting LSMCD. It is considered good practice to have this file owned by the LSMCD user and readable by only that user (''​chmod 600''​).+As above you will use the saslpasswd2 program. ​ Howeverspecify a database name with the `-f` parameter. ​ For example, ​to create a user `user1` in the `/etc/sasllsmcd` database specify:
  
-Each line in your user database is a user name, a colon ('':''​),​ and a password. For example if you had two users (user and sasluser) you might create a ''​/etc/sasl/sasldb.conf''​ with the following lines in it:+<​code>​ 
 +sudo saslpasswd2 -f /etc/sasllsmcd user1 
 +</code>
  
-  ​user:password +Then you will want to make the database owned by the LSMCD user (`nobody` by default) and accessible only to that user:
-  sasluser:​saslpassword+
  
-You will also need to create a SASL Configuration File if you are using this method. +<​code>​ 
- +sudo chown nobody:nobody ​/etc/sasllsmcd 
-== Create and Configure a SASL Configuration File == +sudo chmod 600 /etc/sasllsmcd 
- +</code>
-A SASL configuration file must be given one of the following names''​/etc/sasl/memcached.conf'',​ ''​/tmp/memcached.conf''​ or it may be saved to any file or location that you wish via the ''​SASL_CONF_PATH''​ environment variable. Note that this environment variable must be set in the system environment or in the environment where you started LSMCD (using lsmcdctrl). Regardless of its name or location the LSMCD user must have read permission to access your configuration file.+
  
-As of v1.2, there is only one parameter and value supported:​ +The program `sasllistusers2` also supports the `-f` option.
-  mech_list: PLAIN +
-   +
-Other SASL parameters can be specified in this file however, they are not supported by LSMCD and will generally be ignored.+
  
 +To let LSMCD know of the database edit your ''/​usr/​local/​lsmcd/​conf/​node.conf''​ file and add the parameter: ''​Cached.SaslDB''​. ​ Assuming that the name of your new database is ''/​etc/​sasllsmcd''​ add to node.conf:
 +<​code>​
 +Cached.SaslDB=/​etc/​sasllsmcd
 +</​code>​
 ==== Configure for PHP ==== ==== Configure for PHP ====
-The procedures for the Memcached extension to PHP are documented at [[http://​php.net/​manual/​en/​memcached.setup.phpphp.net]]. You know you have it right if ''​phpinfo''​ displays a **Memcached** section.+The procedures for the Memcached extension to PHP are documented at [[http://​php.net/​manual/​en/​memcached.setup|php.net]]. You know you have it right if ''​phpinfo''​ displays a **Memcached** section.
  
 The following is a sample PHP script you could create (named ''​memcached.php''​) to validate that LSMCD is correctly installed and configured to work with SASL. You'll need to place it in the HTML directory of your server and adjust the user/​password and other settings for your environment. The following is a sample PHP script you could create (named ''​memcached.php''​) to validate that LSMCD is correctly installed and configured to work with SASL. You'll need to place it in the HTML directory of your server and adjust the user/​password and other settings for your environment.
Line 65: Line 67:
 Some notes for all programming environments:​ Some notes for all programming environments:​
    * You must instantiate an instance of the Memcached object (Memcache no longer works).    * You must instantiate an instance of the Memcached object (Memcache no longer works).
-   * You must use the binary protocol.+   * You must use the binary protocol ​(must be the first Memcached method). 
 +   * You must turn off compression.
    * You must make the call to set the SASL authentication information (user/​password) before you add the server.    * You must make the call to set the SASL authentication information (user/​password) before you add the server.
-   * Once you add the server successfully,​ you can perform all standard Memcached operations (get, put, etc.).+   * Once you add the server successfully,​ you can perform all standard Memcached operations (get, put, getStats, etc.).
  
 <​code>​ <​code>​
 <?php <?php
 $mem_var = new Memcached();​ $mem_var = new Memcached();​
-$mem_var->​setSaslAuthData('​user',​ '​password'​);​ 
 $mem_var->​setOption(Memcached::​OPT_BINARY_PROTOCOL,​ true); $mem_var->​setOption(Memcached::​OPT_BINARY_PROTOCOL,​ true);
 $mem_var->​setOption(Memcached::​OPT_COMPRESSION,​ false); $mem_var->​setOption(Memcached::​OPT_COMPRESSION,​ false);
 +$mem_var->​setSaslAuthData('​user',​ '​password'​);​
 $mem_var->​addServer("​127.0.0.1",​ 11211); $mem_var->​addServer("​127.0.0.1",​ 11211);
 $response = $mem_var->​get("​SampleKey"​);​ $response = $mem_var->​get("​SampleKey"​);​
Line 92: Line 95:
  
 If you do not use the ''​$mem_var->​setSaslAuthData('​user',​ '​password'​);''​ line, then this example will work for non-SASL environments as well. If you do not use the ''​$mem_var->​setSaslAuthData('​user',​ '​password'​);''​ line, then this example will work for non-SASL environments as well.
 +
 +==== Configure for Python ====
 +There are a number of external classes for Python access to memcached. ​ However, only the Python Binary Memcached client https://​python-binary-memcached.readthedocs.io/​ has been certified by LiteSpeed to work with LSMCD in SASL mode.  Installation and use is fully described on their web site.
 +
  • Admin
  • Last modified: 2018/07/24 15:46
  • by Lisa Clarke