[jdev] GSSAPI and service hostname

Peter Saint-Andre stpeter at stpeter.im
Thu Jan 15 10:51:30 CST 2009

Robin Redeker wrote:
> Hi!
> I've received a bugreport for my Perl module AnyEvent::XMPP recently,
> that says that I should not pass the domain of the JID as service hostname
> to SASL (and later the GSSAPI mechanism).
> Then I've been trying to figure out how the JID is mapped to the service
> hostname of the XMPP server for GSSAPI authentication, bringing me to the
> conclusion that the RFC 3920 (bis) doesn't say much about the _hostname_
> of the service.

RFC 3920 (or rfc3920bis) doesn't get into the details of particular SASL
mechanisms. As far as I know, GSSAPI is the only SASL mechanism that
uses the service hostname -- the other mechanisms tend to accept only
the username portion of the JID (or a certificate that contains the JID).

> So here my question to the broad mass of developers: How should I determine
> the hostname of the service I'm authenticating with?

As we discussed in the jdev room yesterday, I think you would use the
machine-name that you discovered via SRV lookup:


> I also wonder which server supports GSSAPI mechanims, so that I can
> test implementation.

It's not the most popular SASL mechanism because not that many
organizations deploy Kerberos.


More information about the JDev mailing list