Forwarding SASL to an LDAP server

Stef stef-list at
Thu Jul 3 21:19:05 EDT 2008

I've put together a cyrus-sasl plugin which forwards all authentication
directly to an LDAP SASL capable server.

This is designed so that the authenticated server (eg: mail server)
doesn't need to have access to the entire user database and all the

Tarball here:

However for this to work with DIGEST-MD5 authentication, the LDAP server
must skip the validation of the uri portion of the MD5 auth. Already as
implemented, only the first 'service' part is compared with the SASL
service type. The remainder of the uri is not checked.

The attached patch adds a 'validate_uri' configuration option, so that
the validation of the DIGEST-MD5 uri can be turned off all together,
which allows forwarding of SASL authentication to an LDAP server to work.

How would I go about getting this added to cyrus-sasl? I'm certainly
also open to suggestions of better ways to accomplish this, if this
patch is not acceptable as is.


Stef Walter
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: patch-sasl-digest-md5-validate-uri

More information about the Cyrus-devel mailing list