Possible bug with multiple realms and digest-md5?

Nathan Kinder nkinder at redhat.com
Mon Dec 7 15:08:32 EST 2009 

On 12/06/2009 02:03 PM, Alexey Melnikov wrote:
> Nathan Kinder wrote:
>
>> Hi,
>
> Hi Nathan,
>
>> I'm a developer working on an LDAP server application (389 Directory 
>> Server) that uses Cyrus
>> SASL.  We've been using Cyrus SASL successfully for quite some time, 
>> but I have an odd issue I'm
>> seeing trying to use the digest-md5 mechanism with multiple realms.
>>
>> The problem is that a realm set by the client (Mozilla ldapsearch or 
>> OpenLDAP ldapsearch in this
>> case) never appears to be sent to the server.  I would like to use 
>> the client specified realm in
>> my SASL_CB_CANON_USER callback to allow the server to locate the 
>> appropriate entry that contains
>> the shared secret.
>>
>> I looked through the Cyrus SASL code, and the root of the problem 
>> looks to be that there is no
>> way to set multiple realms when calling sasl_server_new().  The 
>> user_realm parameter is just a
>> single "char *", which is just used as is by the call to 
>> add_to_challenge() in the
>> digestmd5_server_mech_step1() function.  I see no logic here to add 
>> multiple realms to the
>> challenge that is sent to the client.
>
> Right.
>
>> The client side of the digest-md5 plug-in has logic to handle 
>> multiple realms.  The
>> ask_user_info() function deals with this by looking for any realms 
>> that were in the challenge.
>> If no realm was found, it fakes it by using the FQDN of the server.  
>> If a single realm is found,
>> the client just uses it.  If multiple realms are found, then it 
>> appears an interaction is used,
>> meaning the client specified realm will be set.  Since only one 
>> available realm is sent in the
>> challenge from the server, the client specified realm will never be 
>> used.
>
> Correct.
>
>> Is my above interpretation of the code correct, or am I missing 
>> something?  Should it be
>> possible to set multiple available realms on the server side and have 
>> them passed to the
>> client in the challenge?
>
> Are you sure you actually need support for multiple realms as opposed 
> to just using usernames in the form of "user at domain"?
I don't have a strong need for this as it was simply an issue that came 
up during testing of our code for mapping an authcid to an LDAP entry.  
I noticed that a realm set on the client side (ldapsearch) was never 
passed to the server, and my investigation led to the above.  RFC 2831 
led me to believe that multiple realms should be possible.
> If you are, then the code can be extended to handle what you want, but 
> that wouldn't be entirely trivial and this change will be quite 
> specific to DIGEST-MD5 plugin.
I think it would be nice to have eventually, but I understand that it is 
not a trivial issue to fix (particularly without changing the API).  Are 
there other mechanisms that allow multiple realms that would benefit 
from this as well (such as CRAM-MD5), or does this truly only affect 
DIGEST-MD5?

Thanks,
-NGK

More information about the Cyrus-sasl mailing list