From: Rob Siemborski (rjs3 at andrew dot cmu dot edu)
Date: Thu Mar 25 2004 - 11:21:48 EST
On Thu, 25 Mar 2004, Igor Brezac wrote:
> I believe that each authentication mech needs to deal with userid/realm
> params in their own way (just like auxprop plugins do). Although your
> proposal should work as well, we also need to deal with the realm value
> (pass it as is, alter it, ignore it, etc..)
I agree -- the treatment of realm should be mech-specific.
I also don't believe that unilaterally appending the realm in the auth_pam
module is the correct idea. A configuration option would be fine, as
would a global saslauthd configuration parser.
> In my opinion, sasl lib should not alter the username to begin with;
> user at domain dot tld is a perfectly valid userid. In addition non of the
> plaintexts mech have use for the realm value like gssapi and digest-md5
> mechs do.
Not splitting the username and realm is inconsistant with the behavior of
other mechanisms.
> > I would also be interesting to know the rationale for changin SASL's behavior.
>
> http://bugzilla.andrew.cmu.edu/show_bug.cgi?id=2094
-Rob
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper
|
|
|