[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Cyrus SASL 2 is no good

I've noticed that the Cyrus 2 GSSAPI plugin tends to always send a non-NULL
authzid with its requests. Generally this will be identical to the authcid,
and we handle that case ok. But sometimes the two names don't match, and
we reject it because it doesn't have a "u:" or "dn:" prefix. I'm wondering
we shouldn't just always treat authzid's as userids, unless they have an
explicit "dn:" prefix. Essentially this means allowing the "u:" prefix to be
optional. Any objections?

(re: the non-match case, sometimes I see authcid=hyc/authzid=hyc@my.realm.
Usually I see both IDs in full user@realm format. It's all a weird mix of
conditions depending on the default Kerberos realm name, the client's
Kerberos realm name, and the sasl-realm configured in slapd.conf. There's a
lot of unnecessary confusion here, which I've raised on the cyrus-sasl list,
but I apparently haven't gotten the point across yet about how unmanageable
the current behavior is...)

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support