[Date Prev][Date Next] [Chronological] [Thread] [Top]

Cyrus SASL 2 is no good

The Cyrus SASL 2.1.2 library and current slapd do not get along well at all.
The Cyrus GSSAPI mechanism always returns NULL for authcid and authzid, and
appears to not be implementing all of the SASL2 plugin APIs correctly, so
mechanism is completely useless. I.e., it never calls the canonicalize
callback, which probably explains why  the authcid and authzid are always

Using MD5-Digest, I don't get a valid authzID input, so that fails as well.

Also, for the record, Cyrus 1.5.27 has a bug in the GSSAPI plugin, it never
sets the realm in the connection context. I have a patch for this.

Has anyone else been working with the Cyrus SASL 2.x libraries? Some of the
changes look pretty bogus. In particular, the library now only maintains a
single default user realm instead of a per-session realm. The plugins
themselves are no longer able to return any realm info. I believe this makes
it impossible to represent cross-realm Kerberos authentication in the GSSAPI
mechanism. (Somewhat of a moot point since their GSSAPI plugin never
returned realm info in the first place.)

This is going to take some effort to get usable.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support