Possible bug with multiple realms and digest-md5?

Alexey Melnikov alexey.melnikov at isode.com
Mon Dec 7 15:31:06 EST 2009 

Nathan Kinder wrote:

> On 12/06/2009 02:03 PM, Alexey Melnikov wrote:
>
>> Nathan Kinder wrote:
>>
>>> Hi,
>>
>> Hi Nathan,
>>
>>> I'm a developer working on an LDAP server application (389 Directory 
>>> Server) that uses Cyrus
>>> SASL.  We've been using Cyrus SASL successfully for quite some time, 
>>> but I have an odd issue I'm
>>> seeing trying to use the digest-md5 mechanism with multiple realms.
>>>
>>> The problem is that a realm set by the client (Mozilla ldapsearch or 
>>> OpenLDAP ldapsearch in this
>>> case) never appears to be sent to the server.  I would like to use 
>>> the client specified realm in
>>> my SASL_CB_CANON_USER callback to allow the server to locate the 
>>> appropriate entry that contains
>>> the shared secret.
>>>
>>> I looked through the Cyrus SASL code, and the root of the problem 
>>> looks to be that there is no
>>> way to set multiple realms when calling sasl_server_new().  The 
>>> user_realm parameter is just a
>>> single "char *", which is just used as is by the call to 
>>> add_to_challenge() in the
>>> digestmd5_server_mech_step1() function.  I see no logic here to add 
>>> multiple realms to the
>>> challenge that is sent to the client.
>>
>> Right.
>>
>>> The client side of the digest-md5 plug-in has logic to handle 
>>> multiple realms.  The
>>> ask_user_info() function deals with this by looking for any realms 
>>> that were in the challenge.
>>> If no realm was found, it fakes it by using the FQDN of the server.  
>>> If a single realm is found,
>>> the client just uses it.  If multiple realms are found, then it 
>>> appears an interaction is used,
>>> meaning the client specified realm will be set.  Since only one 
>>> available realm is sent in the
>>> challenge from the server, the client specified realm will never be 
>>> used.
>>
>> Correct.
>>
>>> Is my above interpretation of the code correct, or am I missing 
>>> something?  Should it be
>>> possible to set multiple available realms on the server side and 
>>> have them passed to the
>>> client in the challenge?
>>
>> Are you sure you actually need support for multiple realms as opposed 
>> to just using usernames in the form of "user at domain"?
>
> I don't have a strong need for this as it was simply an issue that 
> came up during testing of our code for mapping an authcid to an LDAP 
> entry.  I noticed that a realm set on the client side (ldapsearch) was 
> never passed to the server, and my investigation led to the above.  
> RFC 2831 led me to believe that multiple realms should be possible.

Right.

>> If you are, then the code can be extended to handle what you want, 
>> but that wouldn't be entirely trivial and this change will be quite 
>> specific to DIGEST-MD5 plugin.
>
> I think it would be nice to have eventually, but I understand that it 
> is not a trivial issue to fix (particularly without changing the API).

Yes, I think this would require changing APIs, adding a new callback or 
similar.

> Are there other mechanisms that allow multiple realms that would 
> benefit from this as well (such as CRAM-MD5), or does this truly only 
> affect DIGEST-MD5?

There is no other SASL mechanism I know of that uses realms in the same way.

More information about the Cyrus-sasl mailing list