[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Google
  Web www.spinics.net

Re: Mapping User/Password to SASL Exchanges



Henry B. Hotz wrote:

On Jun 22, 2010, at 2:53 PM, Henry B. Hotz wrote:

Suppose I have a defined Java API which specifies arguments Username and
Password for opening a new session. The implementation and protocol is
officially unspecified, so we can do whatever we want with those arguments.

How can/should I map between those arguments and SASL if I want to
implement the real connection using SASL? Is there any "prior art" like this?

I'm thinking that the username should map to either the authentication
ID,
and the "password"

Should say: "username should map to the authorization ID".

Pretty sure you were right the first time. In the default case when an app only provides a single username, it *must* be the authC ID. You can't do any authC check without it, while the authZ ID is always optional.

could be either some kind of description like MECH:[credential location]
or
an actual binary blob, or maybe empty (in favor of some system properties). If
someone else has defined a translation like this in a generic way, I'd like to
go with that.

If it matters, the actual example is a JMS implementation.

If you aren't able to do an interactive conversation to get more info, that limits your selection of mechs. Putting a mech prefix in there is interesting; who selects it? Not the user I would assume.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/


[Video For Linux]     [Photos]     [Yosemite News]    [Yosemite Photos]     [gtk]     [KDE]     [Info Cyrus]     [Gimp on Windows]     [Steve's Art]     [Script Fu]

Powered by Linux