[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Cyrus SASL 2 is no good

I can forward these issues to the guys here at CMU who wrote SASL 2.0

  -Mark Adamson
   Carnegie Mellon

> The Cyrus SASL 2.1.2 library and current slapd do not get along well at all.
> The Cyrus GSSAPI mechanism always returns NULL for authcid and authzid, and
> appears to not be implementing all of the SASL2 plugin APIs correctly, so
> that
> mechanism is completely useless. I.e., it never calls the canonicalize
> callback, which probably explains why  the authcid and authzid are always
> NULL...
> Using MD5-Digest, I don't get a valid authzID input, so that fails as well.
> Also, for the record, Cyrus 1.5.27 has a bug in the GSSAPI plugin, it never
> sets the realm in the connection context. I have a patch for this.
> Has anyone else been working with the Cyrus SASL 2.x libraries? Some of the
> changes look pretty bogus. In particular, the library now only maintains a
> single default user realm instead of a per-session realm. The plugins
> themselves are no longer able to return any realm info. I believe this makes
> it impossible to represent cross-realm Kerberos authentication in the GSSAPI
> mechanism. (Somewhat of a moot point since their GSSAPI plugin never
> returned realm info in the first place.)
> This is going to take some effort to get usable.