[Standards] Re: SASL Plain - AuthID - Bare JID or User Name?

Mridul mridul at sun.com
Thu Feb 8 23:50:29 UTC 2007

Matthias Wimmer wrote:
> Hi Mirdul!
> Mridul schrieb:
>> I guess I was not clear in what I was trying to get at.
>> mridul at sun.com would be my mail id which is set as the uid for the 
>> server.
>> Assume that the server hosts both sun.com & test.com domains and I 
>> want to authenticate to test.com
>> What would I pass on to the server ?
>> Currently, the way we support it is we use the 'to' in the stream to 
>> identify which domain the user wants to auth to.
>> We use the user id to find which uid the user wants to log into.
> This seems to be perfectly fine to me as long as the value of the to 
> attribute is the same as the domain in the authorization id. 
> (Therefore in the standard case where you authenticate as the same 
> user as you want to autorize as.)
> The question is what to set the to attribute to if you authenticate 
> with a user in another domain as the user you authorize as. E.g. if 
> user mridul at sun.com is allowed to use the account mridul at test.com too.
Hi Matthias ,

  I need not have mentioned about server also hosting sun.com - which 
lead to the confusion I guess (that was just a snippet off a deployment 
I was testing with hosted domains & jid escaping).

The way I meant it was : the user id is the mailid attribute in ldap.
That is, jid would be mridul\40sun.com at test.com (escaped as per xep 106).
User id would be mridul at sun.com.

In the above example, mridul at sun.com does not mean mridul wants to log 
into sun.com domain.
It means "mridul at sun.com" is the user name who wants to log into test.com.

Just assume that mail id attribute is used as user id.
And server is hosting a domain != mail domain.


> As you want to use the account "mridul at test.com" you have to send your 
> stream to "test.com".
> My proposal how to implement it on a server is to use the value of the 
> to attribute to initalize the default realm for SASL. But for 
> mechanisms not supporting to transmit a realm ALLOWING the syntas 
> username at realm to be passed as username.
> But as I said: I think it is an implementation or installation detail 
> of a server how authentication data looks like. You can compare this 
> with a mail-server. When you authorize as mridul at sun.com, there are 
> different possible setups for a mailserver to achieve that. Possible 
> setups for this situation include to authenticate as "mridul" (often 
> on servers only having one domain), "mridul at sun.com" (typically on 
> modern servers having multiple domains) or "mridul%sun.com" (used on 
> some older mail servers supporting multiple domains).
>> In this case, what do I pass on to the server ?
>> mridul at sun.com@test.com ? (not likely - and it is an impl detail that 
>> the client is not aware of).
>> mridul at sun.com with to = test.com ? (looks more in line with xmpp).
> I don't understand these examples of you. Let me make some examples 
> myself (how I would implement it on my server):
> User mridul at sun.com authorizes as mridul at sun.com (his own account):
> root: to='sun.com'
> SASL: \0 mridul \0 password
> User mridul at test.com authorizes as mridul at test.com (his own account):
> root: to='test.com'
> SASL: \0 mridul \0 password
> User mridul at sun.com authorizes as alice at sun.com (intra-domain proxy 
> auth):
> root: to='sun.com'
> SASL: alice at sun.com \0 mridul \0 password
> User mridul at sun.com authorizes as alice at test.com (inter-domain proxy 
> auth)
> root: to='test.com'
> SASL: alice at test.com \0 mridul at sun.com \0 password
> Matthias

More information about the Standards mailing list