[Date Prev][Date Next]
Re: Cyrus SASL 2 is no good
I can forward these issues to the guys here at CMU who wrote SASL 2.0
> The Cyrus SASL 2.1.2 library and current slapd do not get along well at all.
> The Cyrus GSSAPI mechanism always returns NULL for authcid and authzid, and
> appears to not be implementing all of the SASL2 plugin APIs correctly, so
> mechanism is completely useless. I.e., it never calls the canonicalize
> callback, which probably explains why the authcid and authzid are always
> Using MD5-Digest, I don't get a valid authzID input, so that fails as well.
> Also, for the record, Cyrus 1.5.27 has a bug in the GSSAPI plugin, it never
> sets the realm in the connection context. I have a patch for this.
> Has anyone else been working with the Cyrus SASL 2.x libraries? Some of the
> changes look pretty bogus. In particular, the library now only maintains a
> single default user realm instead of a per-session realm. The plugins
> themselves are no longer able to return any realm info. I believe this makes
> it impossible to represent cross-realm Kerberos authentication in the GSSAPI
> mechanism. (Somewhat of a moot point since their GSSAPI plugin never
> returned realm info in the first place.)
> This is going to take some effort to get usable.