|
@@ -469,6 +469,17 @@ func authExternalHandler(server *Server, client *Client, mechanism string, value
|
469
|
469
|
return false
|
470
|
470
|
}
|
471
|
471
|
|
|
472
|
+ // EXTERNAL doesn't carry an authentication ID (this is determined from the
|
|
473
|
+ // certificate), but does carry an optional authorization ID.
|
|
474
|
+ if len(value) != 0 {
|
|
475
|
+ authcid := client.Account()
|
|
476
|
+ cfAuthzid, err := CasefoldName(string(value))
|
|
477
|
+ if err != nil || cfAuthzid != authcid {
|
|
478
|
+ rb.Add(nil, server.name, ERR_SASLFAIL, client.Nick(), client.t("SASL authentication failed: authcid and authzid should be the same"))
|
|
479
|
+ return false
|
|
480
|
+ }
|
|
481
|
+ }
|
|
482
|
+
|
472
|
483
|
sendSuccessfulAccountAuth(client, rb, false, true)
|
473
|
484
|
return false
|
474
|
485
|
}
|