Graham Barr wrote:
On Tue, August 9, 2005 1:08 pm, SteveC said:
If that is the case, then if the SASL & DIGEST_MD5 modules provided a
callback to enable the realm to be overridden, a user could provide one
of the Microsoft 'standard' values (in the case of a perverse
configuration like mine!) and things would work with the 'preferred'
UPN. [It still doesn't solve my auth-int/auth-conf follow-on
requirements however!]
Well there is a "backdoor" you could use to verify this would work.
If you pass a sub-reference as the user,
my $sasl = Authen::SASL->new(
mechanism => 'DIGEST-MD5',
callback => {
user => \&user,
pass => $passwd,
}
);
Then if you do not use the XS implementation, you can do
sub user {
my $obj = shift;
$obj->{server_params}{realm} = "blah";
return $user;
}
Graham.
Graham,
I tried you suggestion and via this route I can authenticate using all
the forms of pre-computed digest that AD on W2k3 supports.
If you are interested, here is a patch for changing DIGEST_MD5 to allow
for a 'realm' callback.This also includes the correction to the 'serv'
handling for digest-uri.
Steve
--- /tmp/DIGEST_MD5.pm 2005-08-10 10:05:29.000000000 +0100
+++ DIGEST_MD5.pm 2005-08-10 10:07:34.000000000 +0100
@@ -73,7 +73,12 @@
my $serv_name = $self->_call('serv');
if (defined $serv_name) {
- $response{'digest_uri'} .= '/' . $serv_name;
+ $response{'digest-uri'} .= '/' . $serv_name;
+ }
+
+ my $realm = $self->_call('realm');
+ if (defined $realm) {
+ $response{'realm'} = $realm unless $realm eq 'default';
}
my $password = $self->_call('pass');
@@ -128,7 +133,8 @@
callback => {
user => $user,
pass => $pass,
- serv => $serv
+ serv => $serv,
+ realm => $realm,
},
);
@@ -162,6 +168,12 @@
The service name when authenticating to a replicated service
+=item realm
+
+The authentication realm to use when it is neccessary to override
+the server-provided default value. A value of 'default' causes
+the server-provided value to be used.
+
=back
=head1 SEE ALSO
