Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
150 lines (93 sloc) 4.29 KB

SASL BrowserID

SASL BrowserID is a new SASL mechanism for client and servers who want to authenticate using BrowserID.

Who da what?

SASL stands for Simple Authentication and Secruity Layer. It is a standardized API for re-using authentication mechanisms.

BrowserID is an open web standard for providing a verified email address to websites for authentication.

This project aims to provide a plugin written in C for the popular CMU Cyrus SASL API Implementation. This can be used by:

  • OpenLDAP directory server
  • Email servers (CMU, postfix, etc)
  • ??? Tell us other use cases!


Early stages of deployment within Mozilla.

Security Notes

  1. Contact us before using in a production system.

  2. Make sure the client and server applications recognize and block unknown email addresses!

Quick Start

vagrant up
vagrant ssh

If you have vagrant install, this will give you a fully working setup to play around with or hack on.



This plugin is under development on i686 Ubuntu 10.04 with:

  • Cyrus SASL 2.1.23 or later
  • OpenLDAP 2.4.23 or later
  • libcurl
  • yajl 2.0.2 or later
  • MySQL client libraries for C

Ubuntu Tips

  1. sudo aptitude install ruby cmake automake libcurl-dev libmysqlclient-dev libsasl2-dev libcurl4-gnutls-dev

ruby and cmake are only needed to compile yajl.

automate is only needed to compile sasl-browserid.

  1. Compile yajl

We want yajl 2.0.2 or greater, which most distros haven't packaged.

wget -O yajl-2.0.2.tar.gz
tar zxvf yajl-2.0.2.tar.gz
cd lloyd-yajl-g5b0e7df
sudo make install
ldconfig /usr/local/lib

Install SASL-BrowserID

Assuming you have the requirements installed, you can:

sudo make install

This will create libbrowserid plugins under /usr/lib/sasl2

Configure any sasl enabled servers. Example: see configs/slapd.conf.fragment.txt

Restart any sasl enabled servers, such as slapd.

Configuration details can be found in the INSTALL doc or

./configure --help

Setup MySQL Session

$ mysql -uroot -p
mysql> create database sasl_browserid;
$ exit
$ mysql -u root -p sasl_browserid < configs/browserid_session.ddl

You know how a BrowserID enabled server. Next let's make sure things are working...

Sanity Tests

The following are ways to test this plugin.

For all of the following tests, it's best to watch syslog

sudo tail -f /var/log/auth.log

There are 3 ways to test, pluginviewer, slapd, and sample program.


Note: On some systems this is called pluginviewer.

sudo saslpluginviewer

Do you see BROWSER-ID in the list of SASL client and server mechanisms?

Test values for assertion and audience

Where tests below require an Assertion and Audience, use browserid_debug.html and a local webserver. Example:

$ cd test/www/
$ python -m SimpleHTTPServer 8001

Point your browser at http://locahost:8001/browserid_debug.html

Assertion: eyJhbGci...blah...blah...2mtVg68723mlBPAQds_bPsG8mllYg
Audience: localhost:8001

OpenLDAP (slapd)


sudo cp configs/slapd.conf /usr/lib/sasl2
# restart slapd
cd test/www/

Each time

# request http://localhost:8001 in your browser and do BID login flow
ldapwhoami -Y BROWSER-ID -I -X $A -U 'localhost:8001'

Sample client and server

If you've compiled SASL's sample/client and sample/server programs...

sudo cp configs/sample.conf /usr/lib/sasl2
cd ${SASL_SRC}
./sample/server -p 8089 -s testing -m BROWSER-ID
./sample/client -p 8089 -s testing -m BROWSER-ID localhost


plugins/plugin_common.c and plugins/plugin_common.h are copied from CMU's Cyrus SASL distribution. They are copywrite CMU and licensed per file. See files for details.

The rest of this codebase is original and Copywrite Mozilla Corporation 2011. A License is TBD.

We'll pick a license that works well with Cyrus SASL distributions and balances other factors.