I’‘ve been trying to find documentation about how Wildfire uses SASL for authentication, but haven’‘t had much success. I understand that for SASL to work correctly the client must support it, however, one question I’'m getting stuck on is whether a Wildfire installation that uses LDAP for authentication can also use SASL.
From this thread http://www.jivesoftware.org/community/thread.jspa?messageID=118266𜷺[URL], it says that “As you have realized LDAP does not support digest mode so it is not being offered by the server to the client”. I have a feeling that this is the answer I’'m looking for, but am still a bit unsure?
It would be great if somebody could point me in the right direction with SASL, and SASL with LDAP? Also what clients do support SASL. I’'ve read that Spark does, but how can one tell if SASL is being used with authentication or not?
Thanks in advance.
SASL is just a generic authentication method. It supports many mechanisms, one of which is digest. But also others, such as PLAIN, GSSAPI (and many more that Wildfire dosnt know how to support). The trouble is, for the digest style authentications to work, Wildfire itself needs to know the user’'s password. When using LDAP, Wildfire does not know, so it cant use it.
It would be an interesting exersize to see someone implement a SASL “passthrough” which uses the SASL mechanisms of the LDAP server (if it supports it). But this idea is wildly off topic to your question.
In answer to your question, yes SASL authentication will work. Wildfire will try to do the right thing. If you have an older client that dosnt support SASL authentication, Wildfire will still work. Most clients should describe what they can handle. But off the top of my head, I know that:
Gaim 1.x does not
Gaim 2.x does
tkabber does not
Hope this helps.
Thanks for that!
So basically what I gained from that is I can’‘t really use SASL with LDAP, since Wildfire can’'t see the LDAP password to create a digest from it.
Think I understand it now!
Actually, you CAN use SASL, but Wildfire will probably just allow the PLAIN authentication mechanism for SASL auth.