Re: saslauthd + pam_mysql broken ?

From: Roman Medina (roman at rs-labs dot com)
Date: Thu Mar 25 2004 - 20:07:29 EST

  • Next message: Kurt D. Zeilenga: "authcid v. realm in DIGEST-MD5 and elsewhere (Was: saslauthd + pam_mysql broken)"

    On Thu, 25 Mar 2004 16:19:42 -0500 (EST), you wrote:

    >How, exactly? If we are the client, nothing will ever break (since the
    >client side deals with either username at realm for the authnid, and also
    >enables the caller to pass a realm name. On the server side, we
    >define the realm= pareameter to be the FQDN of the server (as it is
    >the right of the server to do). We then accept authnids whose format is
    >defined to be username at somedomain, which, internally, we treat as the
    >"realm". What the application sees as realm and what is on the wire as
    >the digest-md5 realm parameter have *nothing* to do with eachother.

    Rob, I understand your position. But if you change the behaviour of
    libsasl to split username into user + domain (as you said, to be
    internally managed in the way you want, and consistent to other
    functions), the only way not to break the client (seen in a global
    way) is to also modify the auth process in order to send
    "username"@"realm" (=user at domain) whenever it proceeds (for instance,
    in the case of auth_pam). Perhaps now this is done (since I heard you
    comitted Jeremy's patch which precisely is supposed to join
    username+realm) but it was done when I began the thread. Indeed, when
    I realized what the problem was, I was looking for any new options to
    saslauthd to implement the joining. I thought it should exist such
    option since it was not logical to think sasl auth had been completely

    Jeremy's patch is ok since it at least permits the user to _manually_
    fix the broken behaviour introduced in last versions of cyrus sasl. I
    said "manually" because the user will first have to realized cyrus
    sasl code behaviour have changed and then respond to the changes by
    activating the special option to concat user+realm.

    But I still think that if you break something, you should fix
    something, not letting the user this task. Not all users are average
    users nor have time to research this kind of things. For me it's late
    because I already spent my time with this issue but I wouldn't like
    others to live my same situation.


    PGP Fingerprint:
    09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
    [Key ID: 0xEAD56742. Available at KeyServ]

  • Next message: Kurt D. Zeilenga: "authcid v. realm in DIGEST-MD5 and elsewhere (Was: saslauthd + pam_mysql broken)"

    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs

    Powered By FreeBSD   Powered By FreeBSD