[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap_sasl_interactive_bind_s

--On Wednesday, May 30, 2007 8:50 AM +0100 Simon Wilkinson <simon@sxw.org.uk> wrote:

I've done something similar to this with other SASL clients. I assume
that what you (they?) want is to be able to provide a list along the
lines of 'try GSSAPI, then if that fails, try DIGEST-MD5', etc. You can
drive Cyrus SASL in this way, but I suspect you need a closer
relationship to the SASL code than ldap_sasl_bind_interactive_s gives
you. Roughly, what works is to take the list of mechanisms that the
server gives you, and start a loop. Call into the SASL library with this
list, and do the SASL handshake as normal. If it fails at any point, ask
it what mechanism just failed, and remove it from your list of permitted
mechanisms, and go round again. You're done when you've either run out of
permitted mechanisms, or the authentication succeeds. This model means
that you can try GSSAPI first, and then fall back to password based
mechanisms when that fails, without having to involve the user in that

Hm, do you have an example of this available? ;)


-- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration