SASL PLAIN and Realms

Rob Siemborski rjs3 at
Wed Jul 2 09:58:44 EDT 2003

On Wed, 2 Jul 2003, Nikola Milutinovic wrote:

> I could in error, so I'd like to check it out with the list.
> ---------------------
> Can SASL mechanism PLAIN authenticate against a realm?

Short Answer: Yes.  If you're using sasldb2 directly.

> LONG FORM -------------------

> I'm trying to setup Open LDAP 2.1.21 as a ChRoot-ed server. One problem
> that popped up was authentication. Since CRAM-MD5 and DIGEST-MD5 rely on
> SASLDB, for those, I would be forced to have two copies of sasldb2 on my
> server - not a good idea in my opinion (I can make a hard link and solve
> the problem, but still I don't like the idea). Kerberos is still not
> around the corner for me (I will have it eventually, but not right now).
> So, I thought to myself, why not SASL Authentication Daemon which would
> lean on the main (and only) SASLDB?

This is perhaps the first reasonable use of the sasldb saslauthd module
I've heard of, but I still would recommend against it.

> I've setup saslauthd and SLapD tries to authenticate against it.
> "testsaslauthd" works OK.
> The problem is in the realm parameter. From the logs I can see that
> SLapD sends "realm" as empty string, although I have specified the realm
> on the command line (the tool in this case was "ldapadd"). What is more
> confusing, running SLapD in full debug mode, I can see that the routines
> are correctly assigning the realm, but no realm is passed to the
> saslauthd.

Hmmm, yeah, we don't seem to be parsing the realm out of the username, and
instead are just passing the server-wide realm to the saslauthd checkpass

> If this is the case, what can I do? Create entries without a realm in
> sasldb2? Can I set the realm for saslauthd on the command line?

It looks like theres nothing that can be done to fit this configuration
without code changes to _sasl_checkpass in server.c (or now that I look
at it closer, saslauthd_verify_password in checkpw.c).

Of course, some of the saslauthd modules are probably looking for the
realm in user at realm format instead.  They probably want to be fixed if
thats the case.

I suppose you can make use of a mysql database and accomplish roughly the
same thing, only with the main database outside of the chroot.  This would
also let you use DIGEST-MD5 and CRAM-MD5.


Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper

More information about the Info-cyrus mailing list