[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: saslAuthz{To|From}

To: Pierangelo Masarati <ando@sys-net.it>
Subject: Re: saslAuthz{To|From}
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Sat, 13 Dec 2003 08:55:05 -0800
Cc: "Randall S. Winchester" <rsw@sendmail.com>, openldap-devel@OpenLDAP.org
In-reply-to: <3FDB3EE0.7080902@sys-net.it>
References: <3FDAF876.2000903@sys-net.it> <3FDB1E01.3080208@sys-net.it> <6.0.0.22.0.20031213064531.04227d60@127.0.0.1> <Pine.WNT.4.58.0312130731280.684@rswCPxW2K.smi.sendmail.com> <6.0.0.22.0.20031213081501.04208310@127.0.0.1> <3FDB3EE0.7080902@sys-net.it>

For now, I rather just try to make u.mech:user@REALM work
reasonable well.  I don't see any good way of fixing the '@'
problem without first fixing Cyrus SASL so as to never append
a REALM to a userid in this fashion UNLESS the mechanism
authentication identity format specifically supports realms
(e.g., Kerberos).  This means that DIGEST-MD5 realms need to
be treated as only distinguishing which authentication
database to use, but not as means for distinguishing identities.

Kurt

At 08:31 AM 12/13/2003, Pierangelo Masarati wrote:
>Kurt D. Zeilenga wrote:
>>At 07:58 AM 12/13/2003, Randall S. Winchester wrote:
>>
>>>My comment would be that for a multi-domain site, a uid can include a
>>>FQDN, like u:jane@janedoe.com.
>>
>>Which is precisely why using @ as a realm separator is a bad idea.
>>We need to support the userid "jane@janedoe.com" existing in multiple
>>realms.
>
>
>Yes.  I'm going to fix the slap_sasl_getdn() code as well,
>and we need to figure out a syntax to specify realm (and
>possibly mechanism) in "u:<user>" form.  What about:
>
>"u.realm;mech:<user>"
>
>with
>
>"u.realm:<user>"
>
>"u;mech:<user>"
>
>in case either is absent?
>
>The syntax would be
>
>"u[.realm][;mech]:<user>"
>
>In this case we don't need to mind about
>realm allowing dots "." because only
>a semicolon ";" or a colon ":" would terminate it
>
>Ando.
>
>
>-- 
>Dr. Pierangelo Masarati         mailto:pierangelo.masarati@sys-net.it
>LDAP Architect, SysNet s.n.c.   http://www.sys-net.it
>
>
>+----------------------------------------------------------------------------+
>|   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax:+390382476497    |
>+----------------------------------------------------------------------------+

Follow-Ups:
- Re: saslAuthz{To|From}
  - From: "Pierangelo Masarati" <ando@sys-net.it>

References:
- saslAuthz{To|From}
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: saslAuthz{To|From}
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: saslAuthz{To|From}
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: saslAuthz{To|From}
  - From: "Randall S. Winchester" <rsw@sendmail.com>
- Re: saslAuthz{To|From}
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: saslAuthz{To|From}
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Re: saslAuthz{To|From}
Next by Date: RE: saslAuthz{To|From}
Index(es):
- Chronological
- Thread