[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Cyrus SASL 2 is no good

> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Howard Chu

> The Cyrus SASL 2.1.2 library and current slapd do not get along
> well at all.
> The Cyrus GSSAPI mechanism always returns NULL for authcid and
> authzid, and
> appears to not be implementing all of the SASL2 plugin APIs correctly, so
> that
> mechanism is completely useless. I.e., it never calls the canonicalize
> callback, which probably explains why  the authcid and authzid are always
> NULL...
> Using MD5-Digest, I don't get a valid authzID input, so that
> fails as well.

> This is going to take some effort to get usable.

More details - the slap_sasl_canonicalize function gets called before the
plugin looks up the user's secret. So, we've turned the SASL username into
a full DN already, and then (e.g.) MD5-Digest tries to find that string
in the sasldb, which fails.

It looks like there's no good way to handle this. In Cyrus 1.5 the
canonicalization was done inside the slap_sasl_authorize() callback, and
apparently the user's secret was already checked before this call, so the
username we finally output is just stored and not processed any further.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support