The SASL documentation is misleading when it talks about using the Fully
Qualified Domain Name. The SASL code only uses the gethostname() system call,
which by convention returns a simple hostname *without* any domain components. E.g.,
for "foo.bar.com" it may just return "foo". (This also depends on your
particular installation; some sysadmins actually do sethostname() with a
fully qualified name, but this is aberrant.) The standard way of getting
a fully qualified name is to use gethostbyname() on the output of gethostname().
This is guaranteed to return a FQDN for any valid hostname. This is what
OpenLDAP/slapd itself does, but it is *not* what the Cyrus SASL libraries do.
As such, if you used saslpasswd (or saslpasswd2) to create your credentials
and you did not explicitly specify a FQDN for your realm, your sasldb very
likely only contains a simple hostname for the realm, not FQDNs. This kind
of mismatch will also cause the "unable to get user's secret" errors.
hyc@highlandsun.com |