SASL PLAIN and Realms

Nikola Milutinovic Nikola.Milutinovic at
Wed Jul 2 08:33:37 EDT 2003

Hi all.

I could in error, so I'd like to check it out with the list.

Can SASL mechanism PLAIN authenticate against a realm?

I'm trying to setup Open LDAP 2.1.21 as a ChRoot-ed server. One problem that popped up was authentication. Since CRAM-MD5 and DIGEST-MD5 rely on SASLDB, for those, I would be forced to have two copies of sasldb2 on my server - not a good idea in my opinion (I can make a hard link and solve the problem, but still I don't like the idea). Kerberos is still not around the corner for me (I will have it eventually, but not right now).

So, I thought to myself, why not SASL Authentication Daemon which would lean on the main (and only) SASLDB?

I've setup saslauthd and SLapD tries to authenticate against it. "testsaslauthd" works OK.

The problem is in the realm parameter. From the logs I can see that SLapD sends "realm" as empty string, although I have specified the realm on the command line (the tool in this case was "ldapadd"). What is more confusing, running SLapD in full debug mode, I can see that the routines are correctly assigning the realm, but no realm is passed to the saslauthd.

This leads me to believe that PLAIN doesn't support realms.

If this is the case, what can I do? Create entries without a realm in sasldb2? Can I set the realm for saslauthd on the command line?

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the Info-cyrus mailing list