[jdev] GSSAPI and service hostname
stpeter at stpeter.im
Thu Jan 15 10:51:30 CST 2009
Robin Redeker wrote:
> I've received a bugreport for my Perl module AnyEvent::XMPP recently,
> that says that I should not pass the domain of the JID as service hostname
> to SASL (and later the GSSAPI mechanism).
> Then I've been trying to figure out how the JID is mapped to the service
> hostname of the XMPP server for GSSAPI authentication, bringing me to the
> conclusion that the RFC 3920 (bis) doesn't say much about the _hostname_
> of the service.
RFC 3920 (or rfc3920bis) doesn't get into the details of particular SASL
mechanisms. As far as I know, GSSAPI is the only SASL mechanism that
uses the service hostname -- the other mechanisms tend to accept only
the username portion of the JID (or a certificate that contains the JID).
> So here my question to the broad mass of developers: How should I determine
> the hostname of the service I'm authenticating with?
As we discussed in the jdev room yesterday, I think you would use the
machine-name that you discovered via SRV lookup:
> I also wonder which server supports GSSAPI mechanims, so that I can
> test implementation.
It's not the most popular SASL mechanism because not that many
organizations deploy Kerberos.
More information about the JDev