On 2015-03-18 00:47, Timo Sirainen wrote:
- If auth proxying is enabled, perform passdb lookup on non-plaintext
auth on the initial SASL response. Return "finished" to the auth
client with some "mech-proxy=y" extra field, so it knows to start
proxying the SASL session to the destination server.
This is actually the tricky part.
To perform a problemer passdb lookup, the proxy will have to be able to
decode the user from the SASL IR even though it might not be able to
authenticate. This requires knowledge of the SASL IR format (like
extracting authz-id/authn-id from the PLAIN argument).
That might not be possible for all SASL mechanisms. With GS2-KRB5 you
can always get authz-id. On the other hand, mechanisms like GSSAPI
(which would work for other reasons) requires the actually perform the
authentication before authz-id can be known.
So ... it might be a bit difficult to precisely define which mechanism
such a feature covers and which it doesn't.
/Peter
