Home/ Questions/Q 160873
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-11T11:06:44+00:00

Does the Cyrus SASL api not support the EXTERNAL mechanism? I’m trying to use

  • 0

Does the Cyrus SASL api not support the EXTERNAL mechanism? I’m trying to use it as a client, but it returns SASL_NOMECH when asked.

% cat cyrus_sal_ex.c /* cyrus_sasl_ex.c: Example of using the Cyrus SASL api */ #include <stdio.h>      /* for printf() */ #include <sasl/sasl.h>  /* for sasl_client_*(), SASL_*, sasl_*_t */  static char const * SASL_return_code(int const code)  {   switch(code)    {     /* ... */     case SASL_OK:     return 'SASL_OK[0]: successful result';     /* ... */     case SASL_NOMECH: return 'SASL_NOMECH[-4]: mechanism not supported';     /* ... */   }   return 'unrecognized'; }  int main() {   char const *  output = NULL;   unsigned      outlen = 0;   char const *  mechanism = NULL;   sasl_conn_t * conn;  # define PRINT_RESULT( x ) do\   {\     int const __result = (x);\     printf('%s == %d\n\t%s\n', #x, __result, SASL_return_code(__result));\     if (__result < 0) goto done;\   }\   while (0)    PRINT_RESULT( sasl_client_init( NULL ) );   PRINT_RESULT( sasl_client_new( 'fake', 'fakey.mcfaker.ton', '127.0.0.1', '127.255.255.1', NULL, 0, &conn) );   PRINT_RESULT( sasl_client_start( conn, 'EXTERNAL', NULL, &output, &outlen, &mechanism) );  done: # undef PRINT_RESULT   printf('output: [%d bytes] : %s\n', outlen, (output ? output : 'NULL') );   printf('mechanism: %s\n', (mechanism ? mechanism : 'NULL'));    return 0; } % gcc -I/sw/include -L/sw/lib -lsasl2 cyrus_sasl_ex.c -o cyrus_sasl_ex # your header/library locations may vary % ./cyrus_sasl_ex sasl_client_init( NULL ) == 0         SASL_OK[0]: successful result sasl_client_new( 'fake', 'fakey.mcfaker.ton', '127.0.0.1', '127.255.255.1', NULL, 0, &conn) == 0         SASL_OK[0]: successful result sasl_client_start( conn, 'EXTERNAL', NULL, &output, &outlen, &mechanism) == -4         SASL_NOMECH[-4]: mechanism not supported output: [0 bytes] : NULL mechanism: EXTERNAL %

I browsed through the source though, and it looks like all the clients should support the EXTERNAL mechanism:

cyrus-sasl-2.1.22/lib/client.c: 196 int sasl_client_init(const sasl_callback_t *callbacks) 197 { ... 227 228   sasl_client_add_plugin('EXTERNAL', &external_client_plug_init); 229

So I’m guessing I’m doing something wrong here. I tried adding all the sasl_callback_ts I could think of to sasl_client_*(), but none of them even got called. Is there some argument I should pass that asserts that EXTERNAL is an acceptable mechanism? Or is SASL_NOMECH always returned for EXTERNAL – b/c that doesn’t seem right.

Can anyone help me out?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Ok, I found the left out step.

    According to sasl/sasl.h, I needed to set the SASL_AUTH_EXTERNAL property for my sasl_conn_t first:

    /* set property in SASL connection state  * returns:  *  SASL_OK       -- value set  *  SASL_BADPARAM -- invalid property or value  */ LIBSASL_API int sasl_setprop(sasl_conn_t *conn,                  int propnum,                  const void *value); #define SASL_SSF_EXTERNAL  100  /* external SSF active (sasl_ssf_t *) */ #define SASL_SEC_PROPS     101  /* sasl_security_properties_t */ #define SASL_AUTH_EXTERNAL 102  /* external authentication ID (const char *) */  /* If the SASL_AUTH_EXTERNAL value is non-NULL, then a special version of the  * EXTERNAL mechanism is enabled (one for server-embedded EXTERNAL mechanisms).  * Otherwise, the EXTERNAL mechanism will be absent unless a plug-in  * including EXTERNAL is present.  */

    Once I did that, the rest worked out:

    % cat cyrus_sasl_ex.c /* Example of using the Cyrus SASL api */ #include <stdio.h>          /* for printf() */ #include <sasl/sasl.h>  /* for sasl_client_*(), SASL_*, sasl_*_t */  int main() {     char const *    output = NULL;     unsigned            outlen = 0;     char const *    mechanism = NULL;     sasl_conn_t * conn;  #   define PRINT_RESULT( x ) do\     {\         int const __result = (x);\         printf('%s == %d\n\t%s\n', #x, __result, sasl_errstring(__result,NULL,NULL));\         if (__result < 0) goto done;\     }\     while (0)      PRINT_RESULT( sasl_client_init( NULL ) );     PRINT_RESULT( sasl_client_new( 'fake', 'fakey.mcfaker.ton', '127.0.0.1', '127.255.255.1', NULL, 0, &conn) );     PRINT_RESULT( sasl_setprop( conn, SASL_AUTH_EXTERNAL, 'fake authority' ) );     PRINT_RESULT( sasl_client_start( conn, 'EXTERNAL', NULL, &output, &outlen, &mechanism) );  done: #   undef PRINT_RESULT     printf('output: [%d bytes] : %s\n', outlen, (output ? output : 'NULL') );     printf('mechanism: %s\n', (mechanism ? mechanism : 'NULL'));      return 0; } % gcc -I/sw/include -L/sw/lib -lsasl2 cyrus_sasl_ex.c -o cyrus_sasl_ex % ./cyrus_sasl_ex sasl_client_init( NULL ) == 0         successful result sasl_client_new( 'fake', 'fakey.mcfaker.ton', '127.0.0.1', '127.255.255.1', NULL, 0, &conn) == 0         successful result sasl_setprop( conn, SASL_AUTH_EXTERNAL, 'fake authority' ) == 0         successful result sasl_client_start( conn, 'EXTERNAL', NULL, &output, &outlen, &mechanism) == 0         successful result output: [0 bytes] : mechanism: EXTERNAL

    However, since the version of Cyrus SASL that comes pre-installed on OS X 10.5 has a bug in it that makes the external plugin require a SASL_CB_USER callback and passes it a NULL pointer to store its return value in, this still means I’ll have to update Cyrus SASL on all those machines.

    Or maybe I’ll just code around the bug.

    • 0