On Tue, Jun 03, 2008 at 07:57:06PM +0800, Raymond Xiong wrote: > ejabberd supports SASL(actually it always uses SASL so that client > that doesn't support SASL cannot connect to it), but unfortunately > it only suports very limited mechanisms: digest-md5, plain, and > anonymous.
That's fine. SASL/GSSAPI support would be very nice too, but that's another case. > That is due to the fact that, rather than rely on native C library, > ejabberd implements SASL by its own. I googled on this topic but > found very few discussion on it. I don't think there are active > development to improve this either. Is the TLS layer also implemented natively by ejabberd? > So, the way I understand it, to authenticate ejabberd users via > UNIX credentials or other PAM authentication services, PAM needs > to be configured explicitly(although SASL is always used). It > seems the current SASL support in ejabberd is more like a way > to transfer password on network than an authentication framework. Right. I'm supporting your decision to disable this. > BTW, XMPP(and ejabberd) also supports TLS to encrypt all the XML > messages(including messages for authentication). That is an > optional feature and can be configured. (I think SASL is also > an optional feature, but it cannot be configured for ejabberd). Does ejabberd use OpenSSL? > Regarding ejabberd support for PAM authentication, I have tried > that and it seems work. To perform PAM authentication, ejabberd > uses an external C program. To solve the root privileges issue, > the manual suggested to use setuid approach(see "PAM authentication" > in section 3.1.4 on following link). Please leave PAM support disabled / compiled out. Nico --
