[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: saslAuthz{To|From}

Kurt D. Zeilenga wrote:
At 07:55 AM 12/13/2003, Pierangelo Masarati wrote:

Kurt D. Zeilenga wrote:

At 07:22 AM 12/13/2003, Pierangelo Masarati wrote:

dealing with realms is already supported: "u:jane@realm"
(unless we accept "@" as a valid char in a userid, but
this would lead to endless discussion, and it's already
done somewhere else in the code :)

@ is prefectly valid character in a userid. @ is prefectly valid character in a realm. Hence, writing userid@realm is a really bad idea.

I knew I was entering a minefield. However, this is how user and realm are currently indicated in most software, including slapd, e.g. at leats in slap_sasl_getdn().

So what?  Let me forst implement my idea,
then we can discuss this.  It's likely to
seamless to move realm and mech before
the colon in the "u:<user>" syntax.

I don't mind allowing user@realm too much.
But user@realm/mech is bit problematic.

How about a compromise: u.mech:user@realm ?

Sure. This leaves the problem that user@domain is a valid userid (see posting from Randall) and is potentially in use.

To improve entropy, the treatment
of "u.mech:user@realm" requires
to cast it into "u:user@realm" and
move "mech" to the "c_sasl_bind_mech"
member of the Connection!  I'll fix
this later.  For now, I have done the
u:user@realm/mech stuff and tested it.


Dr. Pierangelo Masarati         mailto:pierangelo.masarati@sys-net.it
LDAP Architect, SysNet s.n.c.   http://www.sys-net.it
|   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax:+390382476497    |