Personal tools
You are here: Home Members pacneil's Home Linux Authentication Systems Realms
Navigation
Log in


Forgot your password?
New user?
 
Document Actions

Realms

by Neil Schneider last modified 2005-05-04 19:23

Realms

next up previous contents index
Next: How SASL works Up: SASL Previous: Authentication and authorization identifiers

Realms

The Cyrus SASL library supports the concept of "realms". A realm is an abstract set of users and certain mechanisms authenticate users in a certain realm.

In the simplest case, a single server on a single machine, the realm might be the fully-qualified domain name of the server. If the applications don't specify a realm to SASL, most mechanisms will default to this.

If a site wishes to share passwords between multiple machines, it might choose it's authentication realm as a domain name, such as "kernel-panic.org". On the other hand, in order to prevent the entire site's security from being compromised when one machine is compromised, each server could have it's own realm. Certain mechanisms force the user (client side) to manually configure what realm they're in, making it harder for users to authenticate.

The Kerberos mechanisms treat the SASL realm as the Kerberos realm. Thus, the realm for Kerberos mechanisms defaults to the default Kerberos realm on the server. They may support cross-realm authentication; check your application on how it deals with this.

Some authentication mechanisms, such as PLAIN and CRAM-MD5, do not support the concept of realms.

next up previous contents index
Next: How SASL works Up: SASL Previous: Authentication and authorization identifiers
2005-05-04
Powered by Plone CMS, the Open Source Content Management System

This site conforms to the following standards: