Mapping User/Password to SASL Exchanges
Howard Chu
hyc at highlandsun.com
Tue Jun 22 20:57:23 EDT 2010
Henry B. Hotz wrote:
>
> On Jun 22, 2010, at 2:53 PM, Henry B. Hotz wrote:
>
>> Suppose I have a defined Java API which specifies arguments Username and
Password for opening a new session. The implementation and protocol is
officially unspecified, so we can do whatever we want with those arguments.
>>
>> How can/should I map between those arguments and SASL if I want to
implement the real connection using SASL? Is there any "prior art" like this?
>>
>> I'm thinking that the username should map to either the authentication
>> ID,
and the "password"
>
> Should say: "username should map to the authorization ID".
Pretty sure you were right the first time. In the default case when an app
only provides a single username, it *must* be the authC ID. You can't do any
authC check without it, while the authZ ID is always optional.
>> could be either some kind of description like MECH:[credential location]
>> or
an actual binary blob, or maybe empty (in favor of some system properties). If
someone else has defined a translation like this in a generic way, I'd like to
go with that.
>>
>> If it matters, the actual example is a JMS implementation.
If you aren't able to do an interactive conversation to get more info, that
limits your selection of mechs. Putting a mech prefix in there is interesting;
who selects it? Not the user I would assume.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
More information about the Cyrus-sasl
mailing list