Multiple-Mechanism Sample Code?

Alexey Melnikov alexey.melnikov at
Mon Dec 18 17:12:03 EST 2006

Henry B. Hotz wrote:

> The published sample code seems to only try the first mechanism and  
> then quit.  I'm told the "correct" way to do SASL is to try all the  
> mechanisms (or at least all the ones supported) and don't quit until  
> you've tried them all.  Is there any example code that illustrates this?

(I wanted to point you to Cyrus imtest, but it doesn't do that).

In general, I think a well written SASL client should behave as follows:

It should sort SASL mechanisms that both client and server support by 
their "strength" or features recognized by the client. For SASL 
mechanisms with equal strength the order used by the server can be used.
The client starts iterating through the ordered list, starting from the 
strongest mechanism. It tries the mechanism. If authentication succeeds 
- success. If not, the client may retry the mechanism (e.g. if the 
server returned an indication that the password is incorrect) several 
times, say 3 times. After that the client should move on to the next 
strongest SASL mechanism and so on.

There are of course some complications. Some SASL mechanisms that can 
potentially be stronger can end up being weaker, because of the options 
that the server supports.

More information about the Cyrus-sasl mailing list