Question about sasl_client_start()

Dan White dwhite at olp.net
Tue Jun 19 14:42:13 EDT 2012


On 06/19/12 16:08 +0800, ctosgh wrote:
>Greetings,
>
>As the doc said
>"This function starts an authentication session. It takes a list of
>possible mechanisms (usually gotten from the server through a capability
>command) and chooses the "best" mechanism to try. Upon success clientout
>points at data to send to the server"
>
>I am confused by "usually gotten from the server through a capability
>command". What does it exactly mean?

An imap client parses the capability string returned by the server, such
as:

* OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE LOGINDISABLED AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=NTLM AUTH=CRAM-MD5 SASL-IR] quark Cyrus IMAP x.y.z server ready

It's the calling application's responsibility to know how to obtain the
list (as defined by the protocol spec). The imtest utility provides an
example.

>Let's take ldap client for an example, is there a real LDAP operation sent
>to server over the network to get the mechanisms list supported by server
>if this function is called?

An attribute in the root DSE provides the list of server supported
mechanisms (RFC 2251):

~$ ldapsearch -LLL -x -H ldap://ldap.example.net -s "base" -b "" supportedSASLMechanisms
dn:
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: OTP
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: ANONYMOUS
supportedSASLMechanisms: CRAM-MD5

-- 
Dan White


More information about the Cyrus-sasl mailing list