RE: saslAuthz{To|From}

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 05:04 AM 12/16/2003, Luke Howard wrote:

>>There's a bug in here somewhere. If the Cyrus library grabbed the name and
>>parsed a realm from it, then it should not have appeared redundantly when it
>>got to us. Either it was provided in an explicit realm parameter, or it was
>
>I'm using a fairly old version of Cyrus, and I should upgrade. But I don't
>think it's related to this issue: pre upgrading to OpenLDAP 2.2.3 things were
>working just fine.
>
>If my memory serves me correctly I was seeing the realm in the user name only
>for authorization identities that looked like
>
>        u:foo/bar@REALM

This is because GSSAPI (Kerberos) has an authcid which explicitly
supports realms.

The other special mechanism is DIGEST-MD5, it has an explicit
realm separate from its authcid.

But most mechanism have no realm concept.

The problem with Cyrus SASL is that it is treating realm as
a generic (mechanism neutral) variable when its not.  Realm
semantics are quite mechanism specific and have mechanism
specific syntax and semantics.

If we make the assumption that the same "user" can authenticate
with PLAIN and DIGEST-MD5, then we simply ignore the DIGEST-MD5
realm (in forming the authzid) because PLAIN has no realm.

And for GSSAPI, we should always use the fully qualified
principal form (e.g., w/ realm).

Hence, the general, auto dnauthzid form could be simply
        uid=userid,cn=MECH,cn=auth

Kurt