Possible bug with multiple realms and digest-md5?
alexey.melnikov at isode.com
Mon Dec 7 15:31:06 EST 2009
Nathan Kinder wrote:
> On 12/06/2009 02:03 PM, Alexey Melnikov wrote:
>> Nathan Kinder wrote:
>> Hi Nathan,
>>> I'm a developer working on an LDAP server application (389 Directory
>>> Server) that uses Cyrus
>>> SASL. We've been using Cyrus SASL successfully for quite some time,
>>> but I have an odd issue I'm
>>> seeing trying to use the digest-md5 mechanism with multiple realms.
>>> The problem is that a realm set by the client (Mozilla ldapsearch or
>>> OpenLDAP ldapsearch in this
>>> case) never appears to be sent to the server. I would like to use
>>> the client specified realm in
>>> my SASL_CB_CANON_USER callback to allow the server to locate the
>>> appropriate entry that contains
>>> the shared secret.
>>> I looked through the Cyrus SASL code, and the root of the problem
>>> looks to be that there is no
>>> way to set multiple realms when calling sasl_server_new(). The
>>> user_realm parameter is just a
>>> single "char *", which is just used as is by the call to
>>> add_to_challenge() in the
>>> digestmd5_server_mech_step1() function. I see no logic here to add
>>> multiple realms to the
>>> challenge that is sent to the client.
>>> The client side of the digest-md5 plug-in has logic to handle
>>> multiple realms. The
>>> ask_user_info() function deals with this by looking for any realms
>>> that were in the challenge.
>>> If no realm was found, it fakes it by using the FQDN of the server.
>>> If a single realm is found,
>>> the client just uses it. If multiple realms are found, then it
>>> appears an interaction is used,
>>> meaning the client specified realm will be set. Since only one
>>> available realm is sent in the
>>> challenge from the server, the client specified realm will never be
>>> Is my above interpretation of the code correct, or am I missing
>>> something? Should it be
>>> possible to set multiple available realms on the server side and
>>> have them passed to the
>>> client in the challenge?
>> Are you sure you actually need support for multiple realms as opposed
>> to just using usernames in the form of "user at domain"?
> I don't have a strong need for this as it was simply an issue that
> came up during testing of our code for mapping an authcid to an LDAP
> entry. I noticed that a realm set on the client side (ldapsearch) was
> never passed to the server, and my investigation led to the above.
> RFC 2831 led me to believe that multiple realms should be possible.
>> If you are, then the code can be extended to handle what you want,
>> but that wouldn't be entirely trivial and this change will be quite
>> specific to DIGEST-MD5 plugin.
> I think it would be nice to have eventually, but I understand that it
> is not a trivial issue to fix (particularly without changing the API).
Yes, I think this would require changing APIs, adding a new callback or
> Are there other mechanisms that allow multiple realms that would
> benefit from this as well (such as CRAM-MD5), or does this truly only
> affect DIGEST-MD5?
There is no other SASL mechanism I know of that uses realms in the same way.
More information about the Cyrus-sasl