[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Cyrus SASL 2 is no good

To: Howard Chu <hyc@highlandsun.com>
Subject: Re: Cyrus SASL 2 is no good
From: Mark Adamson <adamson@andrew.cmu.edu>
Date: Mon, 15 Apr 2002 16:24:00 -0400 (EDT)
Cc: openldap-devel@OpenLDAP.org
In-reply-to: <NMEFLNHODBAOPDKNNJALGEJMCKAA.hyc@highlandsun.com>

I can forward these issues to the guys here at CMU who wrote SASL 2.0

  -Mark Adamson
   Carnegie Mellon




> The Cyrus SASL 2.1.2 library and current slapd do not get along well at all.
> The Cyrus GSSAPI mechanism always returns NULL for authcid and authzid, and
> appears to not be implementing all of the SASL2 plugin APIs correctly, so
> that
> mechanism is completely useless. I.e., it never calls the canonicalize
> callback, which probably explains why  the authcid and authzid are always
> NULL...
>
> Using MD5-Digest, I don't get a valid authzID input, so that fails as well.
>
> Also, for the record, Cyrus 1.5.27 has a bug in the GSSAPI plugin, it never
> sets the realm in the connection context. I have a patch for this.
>
> Has anyone else been working with the Cyrus SASL 2.x libraries? Some of the
> changes look pretty bogus. In particular, the library now only maintains a
> single default user realm instead of a per-session realm. The plugins
> themselves are no longer able to return any realm info. I believe this makes
> it impossible to represent cross-realm Kerberos authentication in the GSSAPI
> mechanism. (Somewhat of a moot point since their GSSAPI plugin never
> returned realm info in the first place.)
>
> This is going to take some effort to get usable.

Follow-Ups:
- RE: Cyrus SASL 2 is no good
  - From: "Howard Chu" <hyc@highlandsun.com>
- RE: Cyrus SASL 2 is no good
  - From: "Howard Chu" <hyc@highlandsun.com>

References:
- Cyrus SASL 2 is no good
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: Re: current C API draft.
Next by Date: Re: current C API draft.
Index(es):
- Chronological
- Thread