On Tue, Mar 23, 2010 at 10:16:25PM +0100, Stefan Sperling wrote: > On Tue, Mar 23, 2010 at 03:58:50PM -0500, Alec Kloss wrote: > > Now please see attached. > > Thanks. I'll try to look at this soon. > > I've also downloaded a couple of related RFCs (e.g. RFC4422) for reference, > as well as cyrus-sasl source code -- the binaries are already installed cause > sendmail uses them, but I've never used SASL for anything other than smtp > auth with sendmail, and that is pretty simple to set up.
I've given this a look today. The SASL documentation mentions that cross-realm support depends on the application, so your approach at solving the problem in Subversion is correct. What worries me is that your patch to the SASL gssapi module is needed to make use of cross-realm authentication with Kerberos. It seems the SASL developers have not responded to your patch (at least they did not respond publicly): http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&msg=9372 Do you have an idea about whether the patch will be applied to SASL? Is there any useful purpose for cross-realm authentication without using Kerberos? If so, can you suggest a way for me to test this without patching SASL? If not, I'd rather wait for your gssapi patch to be included in SASL before adding support for this to Subversion. We can't require all users to patch SASL... (The gssapi patch in the script you attached is reversed, BTW.) Thanks, Stefan
