| Note | ||
|---|---|---|
| ||
This site is in the process of being reviewed and updated. |
Introduction
Apache Directory currently supports the CRAM-MD5, DIGEST-MD5, and GSSAPI SASL mechanisms. SASL is used during LDAP Binds to authenticate users. Additionally, with the DIGEST-MD5 and GSSAPI mechanisms, SASL can also provide message integrity (checksums) and, optionally, message privacy (encryption). When using SASL message privacy, connections do not need SSL to protect communications.
Architecture
SASL workflow is implemented in the LDAP Protocol Provider's BindHandler. At the start of a Bind, the BindHandler handles SASL negotiation. During SASL negotiation, the LDAP client is first authenticated. After successful authentication, an LDAP context is established and a SUCCESS message is returned.
...
| Code Block |
|---|
Inbound --> SaslFilter --> decoder --> SearchHandler <--> backend Outbound <-- SaslFilter <-- encoder <-------' |
CRAM-MD5
Password must be stored as plaintext in the 'userPassword' attribute.
Username is matched to 'uid' under a base DN.
DIGEST-MD5
Password must be stored as plaintext in the 'userPassword' attribute.
Username is matched to 'uid' under a base DN.
Realm must match realms advertised by the LDAP server, but there is no multi-realm support yet.
GSSAPI
Principal name is matched to the 'krb5PrincipalName' attribute under a base DN.
No multi-realm support yet.
Principal configuration (user, service, krbtgt) can all occur on LDIF load.
Anonymous queries
RootDSE queries will never require authentication.
...
| Code Block |
|---|
$ ldapsearch -b "dc=example,dc=com" "(uid=hnelson)" -x |
SASL queries
CRAM-MD5 is a username/password mechanism.
...
| Code Block |
|---|
$ ldapsearch -b "dc=example,dc=com" "(uid=hnelson)" -Y GSSAPI |
Resources
IMAP/POP AUTHorize Extension for Simple Challenge/Response
http://www.ietf.org/rfc/rfc2195.txt
...