On May 10, 2013, at 8:29 AM, Alexander Gnauck <gna...@ag-software.de> wrote:
> currently I have some issues with the kerberos principal in GSSAPI SASL > authentication. > What is the correct way for building the kerberos principal for > authentication in the client? > > 1) xmpp/xmppdomain@realm > 2) xmpp/hostname@realm > > with hostname I mean the host we are connecting the TCP socket to according > to SRV lookups. > > I have tested only on Cisco XCP and M-Link yet. XCP puts the kerberos > principal in a special attribute which is nice and it looks like Mink wants > the hostname here and not the xmpp domain. > We tried to address this with domain principals (<service>/<host-for-domain>/<domain>@REALM) and [XEP-0233], but that as gone deferred. I think there was one implementation each (client, server) but I've lost track of them. I'd be happy to help move that to draft if there is interest. Absent all of that, GSSAPI requires the hostname. It's not exactly inline with our expectations in XMPP, though, which is why some of us started on XEP-0223. - m&m Matthew A. Miller < http://goo.gl/LK55L > [XEP-0233] "XEP-0233: Domain-Based Service Names in XMPP SASL Negotiation" < http://xmpp.org/extensions/xep-0233.html >
smime.p7s
Description: S/MIME cryptographic signature
