--On Wednesday, May 30, 2007 8:50 AM +0100 Simon Wilkinson simon@sxw.org.uk wrote:
I've done something similar to this with other SASL clients. I assume that what you (they?) want is to be able to provide a list along the lines of 'try GSSAPI, then if that fails, try DIGEST-MD5', etc. You can drive Cyrus SASL in this way, but I suspect you need a closer relationship to the SASL code than ldap_sasl_bind_interactive_s gives you. Roughly, what works is to take the list of mechanisms that the server gives you, and start a loop. Call into the SASL library with this list, and do the SASL handshake as normal. If it fails at any point, ask it what mechanism just failed, and remove it from your list of permitted mechanisms, and go round again. You're done when you've either run out of permitted mechanisms, or the authentication succeeds. This model means that you can try GSSAPI first, and then fall back to password based mechanisms when that fails, without having to involve the user in that process.
Hm, do you have an example of this available? ;)
--Quanah
-- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration