Multiple-Mechanism Sample Code?
alexey.melnikov at isode.com
Mon Dec 18 17:12:03 EST 2006
Henry B. Hotz wrote:
> The published sample code seems to only try the first mechanism and
> then quit. I'm told the "correct" way to do SASL is to try all the
> mechanisms (or at least all the ones supported) and don't quit until
> you've tried them all. Is there any example code that illustrates this?
(I wanted to point you to Cyrus imtest, but it doesn't do that).
In general, I think a well written SASL client should behave as follows:
It should sort SASL mechanisms that both client and server support by
their "strength" or features recognized by the client. For SASL
mechanisms with equal strength the order used by the server can be used.
The client starts iterating through the ordered list, starting from the
strongest mechanism. It tries the mechanism. If authentication succeeds
- success. If not, the client may retry the mechanism (e.g. if the
server returned an indication that the password is incorrect) several
times, say 3 times. After that the client should move on to the next
strongest SASL mechanism and so on.
There are of course some complications. Some SASL mechanisms that can
potentially be stronger can end up being weaker, because of the options
that the server supports.
More information about the Cyrus-sasl