[Standards] Re: SASL Plain - AuthID - Bare JID or User Name?

Matthias Wimmer m at tthias.eu
Thu Feb 8 23:37:10 UTC 2007


Hi Mirdul!

Mridul schrieb:
> I guess I was not clear in what I was trying to get at.
> mridul at sun.com would be my mail id which is set as the uid for the server.
> Assume that the server hosts both sun.com & test.com domains and I want 
> to authenticate to test.com
> What would I pass on to the server ?
> Currently, the way we support it is we use the 'to' in the stream to 
> identify which domain the user wants to auth to.
> We use the user id to find which uid the user wants to log into.

This seems to be perfectly fine to me as long as the value of the to 
attribute is the same as the domain in the authorization id. (Therefore 
in the standard case where you authenticate as the same user as you want 
to autorize as.)

The question is what to set the to attribute to if you authenticate with 
a user in another domain as the user you authorize as. E.g. if user 
mridul at sun.com is allowed to use the account mridul at test.com too.

As you want to use the account "mridul at test.com" you have to send your 
stream to "test.com".

My proposal how to implement it on a server is to use the value of the 
to attribute to initalize the default realm for SASL. But for mechanisms 
not supporting to transmit a realm ALLOWING the syntas username at realm to 
be passed as username.

But as I said: I think it is an implementation or installation detail of 
a server how authentication data looks like. You can compare this with a 
mail-server. When you authorize as mridul at sun.com, there are different 
possible setups for a mailserver to achieve that. Possible setups for 
this situation include to authenticate as "mridul" (often on servers 
only having one domain), "mridul at sun.com" (typically on modern servers 
having multiple domains) or "mridul%sun.com" (used on some older mail 
servers supporting multiple domains).

> In this case, what do I pass on to the server ?
> mridul at sun.com@test.com ? (not likely - and it is an impl detail that 
> the client is not aware of).
> mridul at sun.com with to = test.com ? (looks more in line with xmpp).

I don't understand these examples of you. Let me make some examples 
myself (how I would implement it on my server):

User mridul at sun.com authorizes as mridul at sun.com (his own account):

root: to='sun.com'
SASL: \0 mridul \0 password

User mridul at test.com authorizes as mridul at test.com (his own account):

root: to='test.com'
SASL: \0 mridul \0 password

User mridul at sun.com authorizes as alice at sun.com (intra-domain proxy auth):

root: to='sun.com'
SASL: alice at sun.com \0 mridul \0 password

User mridul at sun.com authorizes as alice at test.com (inter-domain proxy auth)

root: to='test.com'
SASL: alice at test.com \0 mridul at sun.com \0 password


Matthias

-- 
Matthias Wimmer      Fon +49-700 77 00 77 70
Züricher Str. 243    Fax +49-89 95 89 91 56
81476 München        http://ma.tthias.eu/




More information about the Standards mailing list