[Standards] Re: SASL Plain - AuthID - Bare JID or User Name?

Matthias Wimmer m at tthias.eu
Fri Feb 9 00:09:35 UTC 2007

Hi Mirdul!

Mridul schrieb:
> I need not have mentioned about server also hosting sun.com - which 
> lead to the confusion I guess (that was just a snippet off a deployment 
> I was testing with hosted domains & jid escaping).
> The way I meant it was : the user id is the mailid attribute in ldap.
> That is, jid would be mridul\40sun.com at test.com (escaped as per xep 106).
> User id would be mridul at sun.com.
> In the above example, mridul at sun.com does not mean mridul wants to log 
> into sun.com domain.
> It means "mridul at sun.com" is the user name who wants to log into test.com.

The authentication identity does not have to tell the server to which 
domain it wants to log in. (That's not the task of authentication, but 
of authorization - so this is done in the authorization id.) If 
mridul at sun.com wants to log in to an account on test.com it would use 
(in my proposed deployment):

stream root: to='test.com' (mandated)

SASL PLAIN: account at test.com \0 mridul at sun.com \0 mridulsPassword 
(installation/implementation specific)

But you may express the username any other way the administrator of the 
server wants. E.g. a server might also be configured, that you pass a 
complete LDAP DN as the username. In that case you would log in to the 
server using the following data:

stream root: to='test.com'

SASL PLAIN: account at test.com \0 mail=mridul at sun.com,o=sun,c=us \0 pass

It is server deployment specific what has to be passed as the 
authentication id. That is a real important thing! We have a standard 
mapping ("SHOULD" in the RFC) that typically you use just the node value 
as the simple username if a SASL mechanism supports a simple username. 
But a server is free to deploy other semantics for a username, if it is 
required to do this to use his authentication backend.

For an implementation in a client this means, that for easy configuring 
you typically will enter just the JID of the account you want to 
authorize as. (e.g. "account at test.com") If you do not configure any 
additional settings, it the client will use "account" as the simple 
username it authenticates as.
But as this might not be right for some servers, the client needs to 
allow the user to setup a different authentication id, that it will use 
to authenticate at. So for the last example I made above, you would for 
example configure something like this:

JabberID: account at test.com
Password: pass
[X] use non-default authentication id
username: mail=mridul at sun.com,o=sun,c=us
realm: ldap.sun.com        <-- not used when authenticating using PLAIN

Remko told me, that Psi will have such a UI in the future.

> Just assume that mail id attribute is used as user id.
> And server is hosting a domain != mail domain.

I have to admit, that I don't see your problems yet. Please explain me 
where you found a problem with this.


Matthias Wimmer      Fon +49-700 77 00 77 70
Züricher Str. 243    Fax +49-89 95 89 91 56
81476 München        http://ma.tthias.eu/

More information about the Standards mailing list