Mapping User/Password to SASL Exchanges

Howard Chu hyc at highlandsun.com
Tue Jun 22 20:57:23 EDT 2010


Henry B. Hotz wrote:
>
> On Jun 22, 2010, at 2:53 PM, Henry B. Hotz wrote:
>
>> Suppose I have a defined Java API which specifies arguments Username and
Password for opening a new session. The implementation and protocol is
officially unspecified, so we can do whatever we want with those arguments.
>>
>> How can/should I map between those arguments and SASL if I want to
implement the real connection using SASL? Is there any "prior art" like this?
>>
>> I'm thinking that the username should map to either the authentication
>> ID,
and the "password"
>
> Should say: "username should map to the authorization ID".

Pretty sure you were right the first time. In the default case when an app 
only provides a single username, it *must* be the authC ID. You can't do any 
authC check without it, while the authZ ID is always optional.

>> could be either some kind of description like MECH:[credential location]
>> or
an actual binary blob, or maybe empty (in favor of some system properties). If
someone else has defined a translation like this in a generic way, I'd like to
go with that.
>>
>> If it matters, the actual example is a JMS implementation.

If you aren't able to do an interactive conversation to get more info, that 
limits your selection of mechs. Putting a mech prefix in there is interesting; 
who selects it? Not the user I would assume.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/


More information about the Cyrus-sasl mailing list