Henry B. Hotz wrote:
The published sample code seems to only try the first mechanism and
then quit. I'm told the "correct" way to do SASL is to try all the
mechanisms (or at least all the ones supported) and don't quit until
you've tried them all. Is there any example code that illustrates this?
(I wanted to point you to Cyrus imtest, but it doesn't do that).
In general, I think a well written SASL client should behave as follows:
It should sort SASL mechanisms that both client and server support by
their "strength" or features recognized by the client. For SASL
mechanisms with equal strength the order used by the server can be used.
The client starts iterating through the ordered list, starting from the
strongest mechanism. It tries the mechanism. If authentication succeeds
- success. If not, the client may retry the mechanism (e.g. if the
server returned an indication that the password is incorrect) several
times, say 3 times. After that the client should move on to the next
strongest SASL mechanism and so on.
There are of course some complications. Some SASL mechanisms that can
potentially be stronger can end up being weaker, because of the options
that the server supports.