Possible bug with multiple realms and digest-md5?
Nathan Kinder
nkinder at redhat.com
Thu Dec 3 11:49:02 EST 2009
Hi,
I'm a developer working on an LDAP server application (389 Directory
Server) that uses Cyrus
SASL. We've been using Cyrus SASL successfully for quite some time, but
I have an odd issue I'm
seeing trying to use the digest-md5 mechanism with multiple realms.
The problem is that a realm set by the client (Mozilla ldapsearch or
OpenLDAP ldapsearch in this
case) never appears to be sent to the server. I would like to use the
client specified realm in
my SASL_CB_CANON_USER callback to allow the server to locate the
appropriate entry that contains
the shared secret.
I looked through the Cyrus SASL code, and the root of the problem looks
to be that there is no
way to set multiple realms when calling sasl_server_new(). The
user_realm parameter is just a
single "char *", which is just used as is by the call to
add_to_challenge() in the
digestmd5_server_mech_step1() function. I see no logic here to add
multiple realms to the
challenge that is sent to the client.
The client side of the digest-md5 plug-in has logic to handle multiple
realms. The
ask_user_info() function deals with this by looking for any realms that
were in the challenge.
If no realm was found, it fakes it by using the FQDN of the server. If
a single realm is found,
the client just uses it. If multiple realms are found, then it appears
an interaction is used,
meaning the client specified realm will be set. Since only one
available realm is sent in the
challenge from the server, the client specified realm will never be used.
Is my above interpretation of the code correct, or am I missing
something? Should it be
possible to set multiple available realms on the server side and have
them passed to the
client in the challenge?
Thanks,
-NGK
More information about the Cyrus-sasl
mailing list