Differences

This shows you the differences between two versions of the page.

--- litespeed_wiki:lsmcd:sasl [2018/05/31 17:59]
Robert Perper
+++ litespeed_wiki:lsmcd:sasl [2019/02/25 13:32] (current)
Robert Perper [Configure for PHP]
@@ Line 1: / Line 1: @@
-== lsmcd Security using SASL ==
+====== LSMCD Security Using SASL ======
-SASL (Simple Application and Security Layer) is the method used to secure data in lsmcd and memcached.  There are various subtle differences in configuration between the two.  This section describes the configuration you need to perform to allow lsmcd to operate in a SASL environment.
+SASL (Simple Application and Security Layer) is the method used to secure data in LSMCD and Memcached. There are various subtle differences in configuration between the two. This section describes the configuration you need to perform to allow LSMCD to operate in a SASL environment.
-Enabling SASL is database wide.  Once SASL is enabled, all non-SASL databases will need to be regenerated.  You will need to regenerate your databases if you wish to remove SASL.
+Enabling SASL is database wide. Once SASL is enabled, all non-SASL databases will need to be regenerated. You will also need to regenerate your databases (the files stored in the ''Cached.ShmDir'' parameter of your node.conf file) if you wish to remove SASL.
-== Configuring SASL ==
+You can secure data by user if you enable SASL.  This is particularly helpful if you wish to install a single copy of memcached and then share it across your user secured network.  See https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:lsmcd:sasl_secure_user_data for full details.
+===== Configuring SASL =====
-There are 3 steps to configuring lsmcd to operate with SASL:
+There are a number steps to configuring LSMCD to operate with SASL:
-  * Enable it in your lsmcd.conf file
+   * Enable SASL in your node.conf file
-  * Create and configure a SASL configuration file
+   * Create and configure a SASL configuration file
-  * Create and configure a user database.
+   * Create and configure a user database.
-  * Any additional configuration.  The doc below mentions things you should do for PHP.
+   * Any additional configuration. The doc below mentions things you should do for PHP.
-=== Enable SASL in your Configuration File ===
+==== Enable SASL in Your Configuration File ====
-This is discussed at [[https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:lsmcd:configuration|lscmd Configuration]]
+This is discussed at [[https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:lsmcd:configuration|lscmd Configuration]] which also discusses overall configuration.
 In particular you need to specify in your node.conf file: <code>CACHED.USESASL=TRUE</code>
-=== Create and configure a SASL configuration file ===
+Once you have changed this value, you must delete your existing LSMCD files: <code>rm -rf /dev/shm/lsmcd</code>
-A SASL configuration file must named one of the following names: <code>/etc/sasl/memcached.conf
+==== Create and Configure a SASL Configuration File ====
-/tmp/memcached.conf</code> or to any file or location that you wish by setting the following environment variable to the file name you wish to use:<code>SASL_CONF_PATH</code>Note that this environment variable must be set in the system environment or in the environment where you started lsmcd (using lsmcdctrl).  Regardless of its name or location the lsmcd user must have read permission to access your configuration file.
+A SASL configuration file must be given one of the following names: ''/etc/sasl/memcached.conf'', ''/tmp/memcached.conf'' or you can save it to any file or location that you wish by setting the ''SASL_CONF_PATH'' environment variable to the file name you wish to use. Note that this environment variable must be set in the system environment or in the environment where you started LSMCD (using lsmcdctrl). Regardless of its name or location the LSMCD user must have read permission to access your configuration file.
 In this file there is only one parameter and value supported as of this release:
 <code>mech_list: PLAIN</code>
-Other SASL parameters can be specified in this file however, they are not supported by lsmcd as of this release and will generally be ignored.
+Other SASL parameters can be specified in this file however, they are not supported by LSMCD as of this release and will generally be ignored.
-=== Create and Configure a User Database ===
+==== Create and Configure a User Database ====
-It is required that you create a user database.  There is no predefined location and you must specify as an environment variable when you start lsmcd ''MEMCACHED_SASL_PWDB'' pointing to this file.  If for example, you create a file named /etc/sasl/sasldb.conf you would need to export ''MEMCACHED_SASL_PWDB=/etc/sasl/sasldb.conf'' before starting lsmcd.  It is considered good practice to have this file owned by the lsmcd user and readable by only that user (chmod 600).
+It is required that you create a user database. There is no predefined location and you must specify the location in the ''MEMCACHED_SASL_PWDB'' environment variable. If for example, you create a file named ''/etc/sasl/sasldb.conf'' you would need to export ''MEMCACHED_SASL_PWDB=/etc/sasl/sasldb.conf'' before starting LSMCD. It is considered good practice to have this file owned by the LSMCD user and readable by only that user (''chmod 600'').
-Each line in your user database is a user name, a colon (:), and a password.  For example if you had two users (user and sasluser) you might create a /etc/sasl/sasldb.conf with the following lines in it:
+Each line in your user database is a user name, a colon (:), and a password. For example if you had two users (user and sasluser) you might create a ''/etc/sasl/sasldb.conf'' with the following lines in it:
-<code>user:password
+<code>
-sasluser:saslpassword</code>
+user:password
+sasluser:saslpassword
+</code>
-=== Configure for PHP ===
+==== Configure for PHP ====
-The procedures for the memcached extension to PHP are documented in: [[http://php.net/manual/en/memcached.setup.php]].  You know if you have it right if phpinfo displays a ''memcached'' section.
+The procedures for the Memcached extension to PHP are documented in: [[http://php.net/manual/en/memcached.setup.php]]. You know you have it right if phpinfo displays a ''memcached'' section.
+The following is a sample PHP script you could create (named ''memcached.php'') to validate that LSMCD is correctly installed and configured to work with SASL. You'll need to place it in the HTML directory of your server and adjust the user/password and other settings for your environment.
-The following is a sample PHP script you could create (named memcached.php) to validate that lsmcd is correctly installed and configured to work with SASL.  You'll need to place it in the html directory of your server and adjust the user/password and other settings for your environment.
 Some notes for all programming environments:
-  * You must instantiate an instance of the Memcached object (Memcache no longer works).
+   * You must instantiate an instance of the Memcached object (Memcache no longer works).
-  * You must use the binary protocol.
+   * You must use the binary protocol.
-  * You must make the call to set the Sasl authentication information (user/password) before you add the server.
+   * You must make the call to set the SASL authentication information (user/password) before you add the server.
-  * Once you add the server successfully, you can perform all standard memcached operations (get, put, etc.).
+   * Once you add the server successfully, you can perform all standard Memcached operations (get, put, etc.).
 <code>
 <?php
 $mem_var = new Memcached();
-$mem_var->setSaslAuthData('user', 'password');
 $mem_var->setOption(Memcached::OPT_BINARY_PROTOCOL, true);
 $mem_var->setOption(Memcached::OPT_COMPRESSION, false);
 $mem_var->addServer("127.0.0.1", 11211);
+$mem_var->setSaslAuthData('user', 'password');
 $response = $mem_var->get("SampleKey");
 if ($response) {
@@ Line 58: / Line 64: @@
  $mem_var->set("SampleKey", "SampleValue") or
  die("SampleKey Couldn't be Created: '( " . $mem_var->getResultMessage() .
-     " )' ");
+   " )' ");
 } else die ("Error in get: " . $mem_var->getResultCode() . ": " .
-            $mem_var->getResultMessage());
+      $mem_var->getResultMessage());
 ?>
 </code>
-Start Litespeed and lsmcd and point your browser to the web page you created.  If the user or password are incorrect you'll see a message like ''Error in get: 41: AUTHENTICATION FAILURE''.  However if you have it right you'll see the first time you access the page ''Adding a key/value: SampleKey/SampleValue'' and subsequent accesses will show ''get(SampleKey) => SampleValue''.
+Start LiteSpeed and LSMCD and point your browser to the web page you created. If the user or password are incorrect you'll see a message like ''Error in get: 41: AUTHENTICATION FAILURE''. However if you have it right you'll see the first time you access the page ''Adding a key/value: SampleKey/SampleValue'' and subsequent accesses will show ''get(SampleKey) => SampleValue''.
+If you do not use the ''$mem_var->setSaslAuthData('user', 'password');'' line, then this example will work for non-SASL environments as well.
+==== Configure for Python ====
+There are a number of external classes for Python access to memcached.  However, only the Python Binary Memcached client https://python-binary-memcached.readthedocs.io/ has been certified by LiteSpeed to work with LSMCD in SASL mode.  Installation and use is fully described on their web site.