Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
litespeed_wiki:lsmcd:new_sasl [2019/11/07 22:18] Robert Perper [Creating a User Database Just for LSMCD] |
litespeed_wiki:lsmcd:new_sasl [2019/11/27 14:32] (current) Robert Perper [Enable SASL in Your Configuration File] |
||
|---|---|---|---|
| Line 8: | Line 8: | ||
| As for Memcached, if you enable SASL, text telnet commands will no longer work as there is no security mechanism in telnet. The client program ''memcapable'' will fail all tests as it does not properly handle SASL. If you wish to use this program to validate functionality, a customized version of the program is available in the distribution and can be built using instructions specified in the README. | As for Memcached, if you enable SASL, text telnet commands will no longer work as there is no security mechanism in telnet. The client program ''memcapable'' will fail all tests as it does not properly handle SASL. If you wish to use this program to validate functionality, a customized version of the program is available in the distribution and can be built using instructions specified in the README. | ||
| + | |||
| + | To allow existing programs to run with SASL enabled, the Anonymous user, described in [[litespeed_wiki:lsmcd:sasl_secure_user_data|LSMCD Secure User Data Using SASL]] will allow ASCII and telnet access to an independent data area. | ||
| ===== Configuring SASL ===== | ===== Configuring SASL ===== | ||
| Line 23: | Line 25: | ||
| CACHED.USESASL=TRUE | CACHED.USESASL=TRUE | ||
| - | Note that once SASL is enabled, all failed accesses to Memcached functions are going to result in an error being written to the lsmcd log (defaults to ''/tmp/lsmcd.log''). As mentioned above, ASCII and telnet commands are also going to fail as well. | + | Note that once SASL is enabled, all failed accesses to Memcached functions are going to result in an error being written to the lsmcd log (defaults to ''/tmp/lsmcd.log''). As mentioned above, ASCII and telnet commands are also going to fail as well (unless the Anonymous user feature is enabled). |
| When you change this value, accesses to the existing LSMCD database will fail as the system will detect a mismatch between your prior SASL configuration and your current one. You will need to delete your LSMCD data files: <code>rm -rf /dev/shm/lsmcd</code> | When you change this value, accesses to the existing LSMCD database will fail as the system will detect a mismatch between your prior SASL configuration and your current one. You will need to delete your LSMCD data files: <code>rm -rf /dev/shm/lsmcd</code> | ||
| Line 39: | Line 41: | ||
| The sasldb database must have permissions which allow the LSMCD user read access to it (typically 640 in most environments). Since this allows read access to any user in the root group, this may not meet your security requirements. This can be circumvented by creating a SASL managed database which is accessible only to the LSMCD user. | The sasldb database must have permissions which allow the LSMCD user read access to it (typically 640 in most environments). Since this allows read access to any user in the root group, this may not meet your security requirements. This can be circumvented by creating a SASL managed database which is accessible only to the LSMCD user. | ||
| - | As above you will use the saslpasswd2 program. However, specify a database name with the `-f` parameter. For example, to create a user `user1` in the `/etc/sasllsmcd` program specify: | + | As above you will use the saslpasswd2 program. However, specify a database name with the `-f` parameter. For example, to create a user `user1` in the `/etc/sasllsmcd` database specify: |
| <code> | <code> | ||
| Line 54: | Line 56: | ||
| The program `sasllistusers2` also supports the `-f` option. | The program `sasllistusers2` also supports the `-f` option. | ||
| + | To let LSMCD know of the database edit your ''/usr/local/lsmcd/conf/node.conf'' file and add the parameter: ''Cached.SaslDB''. Assuming that the name of your new database is ''/etc/sasllsmcd'' add to node.conf: | ||
| + | <code> | ||
| + | Cached.SaslDB=/etc/sasllsmcd | ||
| + | </code> | ||
| ==== Configure for PHP ==== | ==== Configure for PHP ==== | ||
| The procedures for the Memcached extension to PHP are documented at [[http://php.net/manual/en/memcached.setup|php.net]]. You know you have it right if ''phpinfo'' displays a **Memcached** section. | The procedures for the Memcached extension to PHP are documented at [[http://php.net/manual/en/memcached.setup|php.net]]. You know you have it right if ''phpinfo'' displays a **Memcached** section. | ||
| Line 90: | Line 95: | ||
| If you do not use the ''$mem_var->setSaslAuthData('user', 'password');'' line, then this example will work for non-SASL environments as well. | If you do not use the ''$mem_var->setSaslAuthData('user', 'password');'' line, then this example will work for non-SASL environments as well. | ||
| + | |||
| + | ==== Configure for Python ==== | ||
| + | There are a number of external classes for Python access to memcached. However, only the Python Binary Memcached client https://python-binary-memcached.readthedocs.io/ has been certified by LiteSpeed to work with LSMCD in SASL mode. Installation and use is fully described on their web site. | ||
| + | |||