Possible bug with multiple realms and digest-md5?

[Nathan Kinder]

Hi,

I'm a developer working on an LDAP server application (389 Directory 
Server) that uses Cyrus
SASL.  We've been using Cyrus SASL successfully for quite some time, but 
I have an odd issue I'm
seeing trying to use the digest-md5 mechanism with multiple realms.

The problem is that a realm set by the client (Mozilla ldapsearch or 
OpenLDAP ldapsearch in this
case) never appears to be sent to the server.  I would like to use the 
client specified realm in
my SASL_CB_CANON_USER callback to allow the server to locate the 
appropriate entry that contains
the shared secret.

I looked through the Cyrus SASL code, and the root of the problem looks 
to be that there is no
way to set multiple realms when calling sasl_server_new().  The 
user_realm parameter is just a
single "char *", which is just used as is by the call to 
add_to_challenge() in the
digestmd5_server_mech_step1() function.  I see no logic here to add 
multiple realms to the
challenge that is sent to the client.

The client side of the digest-md5 plug-in has logic to handle multiple 
realms.  The
ask_user_info() function deals with this by looking for any realms that 
were in the challenge.
If no realm was found, it fakes it by using the FQDN of the server.  If 
a single realm is found,
the client just uses it.  If multiple realms are found, then it appears 
an interaction is used,
meaning the client specified realm will be set.  Since only one 
available realm is sent in the
challenge from the server, the client specified realm will never be used.

Is my above interpretation of the code correct, or am I missing 
something?  Should it be
possible to set multiple available realms on the server side and have 
them passed to the
client in the challenge?

Thanks,
-NGK