RE: saslauthd + pam_mysql broken ?

• Previous message: Howard Chu: "RE: saslauthd + pam_mysql broken ?"
• In reply to: Howard Chu: "RE: saslauthd + pam_mysql broken ?"
• Next in thread: Roman Medina: "Re: saslauthd + pam_mysql broken ?"
• Reply: Roman Medina: "Re: saslauthd + pam_mysql broken ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Thu, 25 Mar 2004, Howard Chu wrote:

> >I believe this is compliant with the specification, even if it means that
> the
> >realm= parameter ot the digest-response (and digest-challenge) is basicly
> >useless. This makes DIGEST-MD5 consistant with every other mechanism (yes,
> >KERBEROS_V4 and GSSAPI have a slightly different concept, but the execution
> in
> >this case is the same -- split at the @ sign). It also allows *all*
> mechanims
> >to support realms.
>
> Rendering the DIGEST-MD5 "realm" parameter useless does not seem like a
> positive thing to do. If it is truly useless, it shouldn't have been in the
> spec. Since it is in the spec, there is probably an implementation out there
> that depends on using it, and Cyrus' behavior will interfere with
> interoperability in that case.

We still use the realm paramater, it's just basicly functionless. No
other implementation should break against it -- if they supply a realm
other than the one we advertise, they lose (as they know they can).
Likewise, the client side of our application will work properly with the
GETREALM callback/interaction.

> >I can also understand an argument that we should be disallowing user_realm
> >values with an '@' sign.
>
> And this also contradicts the spec that explicitly states that '@' is a valid
> character in a realm name. Once again, taking this position will break
> interoperability.

How, exactly? If we are the client, nothing will ever break (since the
client side deals with either username at realm for the authnid, and also
enables the caller to pass a realm name. On the server side, we
define the realm= pareameter to be the FQDN of the server (as it is
the right of the server to do). We then accept authnids whose format is
defined to be username at somedomain, which, internally, we treat as the
"realm". What the application sees as realm and what is on the wire as
the digest-md5 realm parameter have *nothing* to do with eachother.

-Rob

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper

• Previous message: Howard Chu: "RE: saslauthd + pam_mysql broken ?"
• In reply to: Howard Chu: "RE: saslauthd + pam_mysql broken ?"
• Next in thread: Roman Medina: "Re: saslauthd + pam_mysql broken ?"
• Reply: Roman Medina: "Re: saslauthd + pam_mysql broken ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]