RE: saslAuthz{To|From}

["Pierangelo Masarati" <ando@sys-net.it>]

> There's a bug in here somewhere. If the Cyrus library grabbed the name
> and parsed a realm from it, then it should not have appeared redundantly
> when it got to us. Either it was provided in an explicit realm
> parameter, or it was left in the username, but not both. It also seems
> to me that they've been deprecating the use of the explicit Realm
> parameter, and just appending "@realm" to usernames.

This assumes that the domain of an email used as userid
is the same as the realm of the user.  Sounds a bit too
optimistic.

>
> I note that, having created a user "hyc" with realm "fred" in my
> /etc/sasldb2, this works:
> 	./ldapsearch -Y DIGEST-MD5 -U hyc@fred
>
> but this doesn't:
> 	./ldapsearch -Y DIGEST-MD5 -U hyc -R fred
> ("fred" is not the default realm for this server...)
>
> On the client side, the SASL library never asks for the SASL_REALM
> prompt, so the -R argument is ignored. On the server, the SASL digestmd5
> plugin always parses the realm out of the provided authIDs.
>
> If we're going to go down this road, somebody has to get Cyrus to
> cooperate. Right now what we have is unusable.

I thought you were in good relationship with Cyrus people ;)

I guess we should discuss the problem with them, and possibly
bring in other developers which might be affected by our code
changes ...  time for an i.d.?

Ando.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it