Re: Changing realms

From: Alexey Melnikov (Alexey dot Melnikov at isode dot com)
Date: Mon May 17 2004 - 04:49:33 EDT

  • Next message: robert delius royar: "Problem with DIGEST-MD5 (Cyrus-SASL v 2.1.18 on Mac OS X 10.3.3)"

    T.J. Kniveton wrote:

    > This question was posted about a year back, and maybe other times.
    > The question is: given a user in a database, how can you change realms?

    This is not going to help you in a short term, but I am [slowly] working
    on adding "user rename" and "domain rename" functionality to SASL. "user
    rename" would be implemented as a new auxprop method. "domain rename"
    can be another auxprop method, but if it is NULL, libsasl will emulate
    "domain rename" using "user rename".

    > My practical example is: I have a very small mailserver with a few
    > users and a berkeley4.2-backed sasldb2 database.
    > Now I want to move that to a new machine. Since I am not using
    > kerberos at all, the canonized usernames on the old machine were
    > user at fqdn1 dot On the new machine, it will be looking for user at fqdn2 dot So
    > I want to change all the realms in my sasldb2 file from fqdn1 to
    > fqdn2, while retaining the rest of the auxillary properties,
    > especially the password.
    > I started looking at saslpasswd.c, and then a bit deeper into the
    > code, and it's obvious that this is a tricky thing to do. The entries
    > in the db seem to be keyed on realm, and there is no sort of function
    > to make this easy.
    > I wrote a function in lib/server.c that copies a user and gives a new
    > userid and realm (domain), and changed saslpasswd.c to use it.
    > I got pretty tangled in the sasl_conn_t and sasl_server_conn_t
    > structures. Reminds me of mbufs. At this point, I think I need to open
    > a new connection, and in the sasl_out_params, put the new canonified
    > userid with the new realm. But I'm not sure.
    > This proved to be quite time consuming, because the first time I wrote
    > the code, I brilliantly wiped it out with a simple 'make clean' in my
    > ports directory where I was working. doh! The second time around, it
    > wasn't successful.. Maybe when I have some more time I'll look at this
    > again. Does anyone more knowledgeable about this have any suggestions?
    > TJ

    Isode Limited,

    IETF standard related pages:

    Personal Home Page:

  • Next message: robert delius royar: "Problem with DIGEST-MD5 (Cyrus-SASL v 2.1.18 on Mac OS X 10.3.3)"

    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs

    Powered By FreeBSD   Powered By FreeBSD