Re: saslpasswd2 and virtdomains


Subject: Re: saslpasswd2 and virtdomains
From: Ken Murchison (ken at oceana dot com)
Date: Tue May 20 2003 - 15:42:21 EDT


Quoting Igor Brezac <igor at ipass dot net>:

>
> On Mon, 19 May 2003, Ken Murchison wrote:
>
> > Quoting Igor Brezac <igor at ipass dot net>:
> >
> > >
> > > canonify_userid() strips the domain, where does the reverse lookup
> occur
> > > before sasl_checkpass()?
> >
> > Actually, after a second look to refresh my memory, if you fully qualify
> the
> > userid, the reverse lookup isn't done. When it does, its in the same
> > if/then/elseif/else where the defaultdomain is stripped.
> >
> > >
> > > > because it matches the defaultdomain. Since the userid is now
> unqualified,
> > > it
> > > > falls through to the reverse lookup code. If the reverse lookup
> returns
> > > > host.domain.com, then domain.com is appended to the userid, leaving
> you
> > > with
> > > > admin at domain dot com.
> > >
> > > Wouldn't it make sense to append defaultdomain rather than doing
> reverse
> > > lookup. The problem I described occurs only for login mech, plain
> works
> > > fine.
> >
> > The canonify code strips the default domain, because it treats it like a
> single
> > domain config (for backwards compatibility).
>
> I found the problem. userid is canonified twice, first by
> mysasl_canon_user() and then by cmd_login().

Do you mean sasl_checkpass() calls the mysasl_canon_user() callback after we've
already canonicalized it?

> The cmd_login() already gets canonified userid,

How? cmd_login() gets the raw userid from the prot stream.

> is there a need to call
> canonify_userid() in cmd_login()?

Since we need to check it against "anonymous", I think we do.

-- 
Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp







Hosted Email Solutions

Invaluement Anti-Spam DNSBLs



Powered By FreeBSD   Powered By FreeBSD