[Psi-Devel] GSSAPI / Kerberos single-signon
Justin Karneges
justin-psi2 at affinix.com
Sat Nov 10 13:40:05 PST 2007
On Saturday 10 November 2007 1:16 pm, Simon Wilkinson wrote:
> that patch. In particular, it's important that the SASL libraries use
> the FQDN of the server being connected to (after any SRV resolution),
> rather than the domain of the user's JID, when providing the service
> name to Cyrus. I don't know if Psi is doing this, but it's worth
> checking, as it seems to be the single largest cause of client side
> problems with GSSAPI.
We were wondering about this as well. Do you have any reference/spec that
shows we should use the target server being connected to? Right now we pass
the JID's domain, and I wonder if changing this would break other mechanisms
or introduce security risks. I don't know enough about Kerberos and SASL to
understand the issue.
-Justin
More information about the Psi-Devel
mailing list