Subject: Re: saslpasswd2 and virtdomains
From: Ken Murchison (ken at oceana dot com)
Date: Tue May 20 2003 - 15:42:21 EDT
Quoting Igor Brezac <igor at ipass dot net>:
>
> On Mon, 19 May 2003, Ken Murchison wrote:
>
> > Quoting Igor Brezac <igor at ipass dot net>:
> >
> > >
> > > canonify_userid() strips the domain, where does the reverse lookup
> occur
> > > before sasl_checkpass()?
> >
> > Actually, after a second look to refresh my memory, if you fully qualify
> the
> > userid, the reverse lookup isn't done. When it does, its in the same
> > if/then/elseif/else where the defaultdomain is stripped.
> >
> > >
> > > > because it matches the defaultdomain. Since the userid is now
> unqualified,
> > > it
> > > > falls through to the reverse lookup code. If the reverse lookup
> returns
> > > > host.domain.com, then domain.com is appended to the userid, leaving
> you
> > > with
> > > > admin at domain dot com.
> > >
> > > Wouldn't it make sense to append defaultdomain rather than doing
> reverse
> > > lookup. The problem I described occurs only for login mech, plain
> works
> > > fine.
> >
> > The canonify code strips the default domain, because it treats it like a
> single
> > domain config (for backwards compatibility).
>
> I found the problem. userid is canonified twice, first by
> mysasl_canon_user() and then by cmd_login().
Do you mean sasl_checkpass() calls the mysasl_canon_user() callback after we've
already canonicalized it?
> The cmd_login() already gets canonified userid,
How? cmd_login() gets the raw userid from the prot stream.
> is there a need to call
> canonify_userid() in cmd_login()?
Since we need to check it against "anonymous", I think we do.
-- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
|
|
|