Improper handeling of null authorization ID in SASL+GSSAPI
Description
If a client does not supply an authorization ID, the server needs to do something useful. Currently it simply uses the authentication ID, which will only work in the case the realm and the xmpp.domain are identical.
Gaim/Pidgin 2.0.0 is an example of such a client.
Environment
Any client using SASL+GSSAPI that provides a null authorization ID
Activity
Show:
Sebastien Bahloul September 20, 2007 at 12:51 AM
Hi,
Just a word to precise that I think that I encountered the same problem with the last stable versions of Openfire (3.3.2) and Spark (2.5.6) while trying to use Kerberos authentication against an Active Directory controller.
The initial problem was how to use accounts from a central KDC against a severeals servers that use different subdomain names - i.e. with DNS based server address resolution. In this case, realm and xmpp.domain must be different which seems to be impossible.
Is there a way to bypass this issue or to specify authorization ID ?
If a client does not supply an authorization ID, the server needs to do something useful. Currently it simply uses the authentication ID, which will only work in the case the realm and the xmpp.domain are identical.
Gaim/Pidgin 2.0.0 is an example of such a client.