18 Mar
2015
18 Mar
'15
9:50 a.m.
On 2015-03-18 00:47, Timo Sirainen wrote:
- If auth proxying is enabled, perform passdb lookup on non-plaintext auth on the initial SASL response. Return "finished" to the auth client with some "mech-proxy=y" extra field, so it knows to start proxying the SASL session to the destination server.
This is actually the tricky part. To perform a problemer passdb lookup, the proxy will have to be able to decode the user from the SASL IR even though it might not be able to authenticate. This requires knowledge of the SASL IR format (like extracting authz-id/authn-id from the PLAIN argument). That might not be possible for all SASL mechanisms. With GS2-KRB5 you can always get authz-id. On the other hand, mechanisms like GSSAPI (which would work for other reasons) requires the actually perform the authentication before authz-id can be known.
So ... it might be a bit difficult to precisely define which mechanism such a feature covers and which it doesn't.
/Peter