Steve Holme wrote: > > > * Should we implement support for an empty authentication identifier (via an empty username) as I believe is allowed in the RFC or do your modifications already cater for this?
> > Yes, and it's currently done this way. In TLS cases, empty username tells to use id from cert. Using a non-empty username can only be used if the server allows to delegate authorizations, such as an administrator acting for a normaluser. I've never seen such an implementation, but curl supports it. > That's what I thought. In the SASL code is it the Curl_sasl_can_authenticate() that allows this? Yes. The idea is: check user_passwd to see if some (or both) have been specified: this is the test part that used to exist in each protocol-specific modules. Then check the availability and request for EXTERNAL too, even if no user/password has been provided: this covers the "no user" external authentication. In possible future needs, we may alter this procedure for specific cases instead of having to duplicate the test in each SASL-aware module. You may also note that non-external mechanisms are skipped if user_passwd is not set. Cheers, Patrick ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
