Henry B. Hotz wrote:
On Jun 22, 2010, at 2:53 PM, Henry B. Hotz wrote:
Suppose I have a defined Java API which specifies arguments Username and
Password for opening a new session. The implementation and protocol is
officially unspecified, so we can do whatever we want with those arguments.
How can/should I map between those arguments and SASL if I want to
implement the real connection using SASL? Is there any "prior art" like this?
I'm thinking that the username should map to either the authentication
ID,
and the "password"
Should say: "username should map to the authorization ID".
Pretty sure you were right the first time. In the default case when an app
only provides a single username, it *must* be the authC ID. You can't do any
authC check without it, while the authZ ID is always optional.
could be either some kind of description like MECH:[credential location]
or
an actual binary blob, or maybe empty (in favor of some system properties). If
someone else has defined a translation like this in a generic way, I'd like to
go with that.
If it matters, the actual example is a JMS implementation.
If you aren't able to do an interactive conversation to get more info, that
limits your selection of mechs. Putting a mech prefix in there is interesting;
who selects it? Not the user I would assume.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
