Full_Name: Florian Schmaus Version: OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (88.217.98.14)

The openldap-jldap's com.novell.sasl.cient.DigestMD5SaslClient is using authorization id (authzid) as value for the username. But the relevant RFC2831 states in section 2.1.2 that there is an extra attribute 'authzid' when assembling the response. The value of username should use m_name (the authcid) and the response should only add the authzid if it's set (Note that authzid is *optional*).

--- a/com/novell/sasl/client/DigestMD5SaslClient.java +++ b/com/novell/sasl/client/DigestMD5SaslClient.java @@ -661,7 +661,7 @@ public class DigestMD5SaslClient implements SaslClient true);

digestResponse.append("username=""); - digestResponse.append(m_authorizationId); + digestResponse.append(m_name); if (0 != m_realm.length()) { digestResponse.append("",realm=""); @@ -679,8 +679,12 @@ public class DigestMD5SaslClient implements SaslClient digestResponse.append(response); digestResponse.append(",charset=utf-8,nonce=""); digestResponse.append(m_dc.getNonce()); + if (m_authorizationId != null && m_authorizationId.length() >= 0) + { + digestResponse.append("",authzid=""); + digestResponse.append(m_authorizationId); + } digestResponse.append("""); - return digestResponse.toString(); }