|[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]|
Henry B. Hotz wrote:
On Jun 22, 2010, at 2:53 PM, Henry B. Hotz wrote:Suppose I have a defined Java API which specifies arguments Username and
Password for opening a new session. The implementation and protocol is officially unspecified, so we can do whatever we want with those arguments.
How can/should I map between those arguments and SASL if I want to
implement the real connection using SASL? Is there any "prior art" like this?
I'm thinking that the username should map to either the authentication ID,
and the "password"
Should say: "username should map to the authorization ID".
Pretty sure you were right the first time. In the default case when an app only provides a single username, it *must* be the authC ID. You can't do any authC check without it, while the authZ ID is always optional.
could be either some kind of description like MECH:[credential location] or
an actual binary blob, or maybe empty (in favor of some system properties). If someone else has defined a translation like this in a generic way, I'd like to go with that.
If it matters, the actual example is a JMS implementation.
If you aren't able to do an interactive conversation to get more info, that limits your selection of mechs. Putting a mech prefix in there is interesting; who selects it? Not the user I would assume.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/