ejabberd instant messaging server [PSARC/2008/340 FastTrack timeout 05/29/2008]
Nicolas Williams
Nicolas.Williams at sun.com
Tue Jun 3 07:28:40 PDT 2008
On Tue, Jun 03, 2008 at 07:57:06PM +0800, Raymond Xiong wrote:
> ejabberd supports SASL(actually it always uses SASL so that client
> that doesn't support SASL cannot connect to it), but unfortunately
> it only suports very limited mechanisms: digest-md5, plain, and
> anonymous.
That's fine. SASL/GSSAPI support would be very nice too, but that's
another case.
> That is due to the fact that, rather than rely on native C library,
> ejabberd implements SASL by its own. I googled on this topic but
> found very few discussion on it. I don't think there are active
> development to improve this either.
Is the TLS layer also implemented natively by ejabberd?
> So, the way I understand it, to authenticate ejabberd users via
> UNIX credentials or other PAM authentication services, PAM needs
> to be configured explicitly(although SASL is always used). It
> seems the current SASL support in ejabberd is more like a way
> to transfer password on network than an authentication framework.
Right. I'm supporting your decision to disable this.
> BTW, XMPP(and ejabberd) also supports TLS to encrypt all the XML
> messages(including messages for authentication). That is an
> optional feature and can be configured. (I think SASL is also
> an optional feature, but it cannot be configured for ejabberd).
Does ejabberd use OpenSSL?
> Regarding ejabberd support for PAM authentication, I have tried
> that and it seems work. To perform PAM authentication, ejabberd
> uses an external C program. To solve the root privileges issue,
> the manual suggested to use setuid approach(see "PAM authentication"
> in section 3.1.4 on following link).
Please leave PAM support disabled / compiled out.
Nico
--
More information about the opensolaris-arc
mailing list