Google Git
Sign in
apache / directory-site / 6230fd617378ee6404047f7caa0c297150fbc2ef / . / content / apacheds / advanced-ug / 4.1.2-sasl-authn.mdtext
blob: 897fa478a594ef321323ca20ff292751b81a445a [file] [log] [blame]
Title: 4.1.2 SASL Authentication
navPrev: 4.1.1-simple-authn.html
NavPrevText: 4.1.1 - Simple authentication
NavUp: 4.1-authentication.html
NavUpText: 4.1 - Authentication
NavNext: 4.1.2.1-sasl-plain-text-authn.html
NavNextText: 4.1.2.1 - SASL PLAIN text Authentication
Notice: Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
.
http://www.apache.org/licenses/LICENSE-2.0
.
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
# 4.1.2 - SASL Authentication
## Chapter content
* [4.1.2.1 - SASL PLAIN text Authentication](4.1.2.1-sasl-plain-text-authn.html)
* [4.1.2.2 - SASL CRAM-MD5 Authentication](4.1.2.2-sasl-cram-md5-authn.html)
* [4.1.2.3 - SASL DIGEST-MD5 Authentication](4.1.2.3-sasl-digest-md5-authn.html)
* [4.1.2.4 - SASL GSSAPI Authentication](4.1.2.4-sasl-gssapi-authn.html)
* [4.1.2.5 - SASL EXTERNAL Authentication](4.1.2.5-sasl-external-authn.html)
* [4.1.2.6 - SASL NTLM Authentication](4.1.2.6-sasl-ntlm-authn.html)
## Introduction
**SASL** authentication is based on a standard described in [RFC 4422](http://www.ietf.org/rfc/rfc4422.txt). **SASL** means **S**imple **A**uthentication and **S**ecurity **L**ayer.
It extends the Simple authentication, by allowing the LDAP server to authenticate the user by various mechanisms.
The **SASL* Authentication is used when a simple user/password authentication is not enough, or when one want to delegate authentication to another system. Many other systems exist, and may take many parameters to authenticate a user. With **SASL**, a challenge/response system is used to get the needed information from the client, up to the point the authentication is either successful or fails.
As **ApacheDS** is based on Java, we only support the **SASL** mechanisms the JDK supports :
* PLAIN : cleartext user/password authentication
* CRAM-MD5 : IMAP/POP authentication
* DIGEST-MD5 : Http Digest authentication
* GSSAPI : Kerberos authentication
* EXTERNAL : External authentication
* NTLM : NTLM authentication
* GSS-SPNEGO : The SPNEGO authentication
It's important to notice that some of those mechanisms are either useless (PLAIN) or obsolete (DIGEST-MD5).
It's of course possible to modify the list of supported **SASL** mechanisms, by updating the server's configuration. The list of mechanisms is stored as entries under the following **DN** :
:::Text
ou=saslMechHandlers,ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config
One can also check the configured **SASL** mchanisms on the server by sending a _SeachRequest_ to the server, on the _RootDSE_, looking for the _supportedSASLMechanisms_. Here is the esult on ApacheDS 2.0.0 :
![ApacheDS supported SASL mechanisms](images/supported-sasl-mechanisms.png)
Configuring this list can also be done using **Studio ApacheDS Configuration** plugin :
![ApacheDS SASL mechanisms configuration](images/sasl-mechanisms-config.png)
## Usage and security
Most of the existing **SASL** mechanisms are just either useless (**PLAIN**, **ANONYMOUS**) or too weak to be used in a secured environment (**DIGEST-MD5** or **CRAM-MD5**).
A new **SASL** mechanism has been designed to replace the last two mechanisms : **SCRAM** ([RFC 5802](http://www.ietf.org/rfc/rfc5802.txt)).
In any case, if you are using one of those mechanisms, be sure to activate **TLS**.
## Specifications
The SASL specifications are defined by an [IETF Working Group](http://datatracker.ietf.org/wg/sasl/) which has published the following proposed standards :
* [RFC 4013](http://www.ietf.org/rfc/rfc4013.txt) : SASLprep: Stringprep Profile for User Names and Passwords
* [RFC 4422](http://www.ietf.org/rfc/rfc4422.txt) : Simple Authentication and Security Layer (SASL)
* [RFC 4505](http://www.ietf.org/rfc/rfc4505.txt) : Anonymous Simple Authentication and Security Layer (SASL) Mechanism
* [RFC 4616](http://www.ietf.org/rfc/rfc4616.txt) : The PLAIN Simple Authentication and Security Layer (SASL) Mechanism
* [RFC 4752](http://www.ietf.org/rfc/rfc4752.txt) : The Kerberos V5 ("GSSAPI") Simple Authentication and Security Layer
(SASL) Mechanism
* [RFC 5801](http://www.ietf.org/rfc/rfc5801.txt) : Using Generic Security Service Application Program Interface (GSS-API)
Mechanisms in Simple Authentication and Security Layer (SASL): The GS2 Mechanism Family
* [RFC 5802](http://www.ietf.org/rfc/rfc5802.txt) : Salted Challenge Response Authentication Mechanism (SCRAM) SASL
and GSS-API Mechanisms
Some other RFCs have been published, for each specific mechanisms, some of them are obsoleted by more recent RFCs :
* [RFC 2595](http://www.ietf.org/rfc/rfc2595.txt) : Using TLS with IMAP, POP3 and ACAP (updated by RFC 4616)
* [RFC 2195](http://www.ietf.org/rfc/rfc2195.txt) : IMAP/POP AUTHorize Extension for Simple Challenge/Response
* [RFC 2831](http://www.ietf.org/rfc/rfc2831.txt) : Using Digest Authentication as a SASL Mechanism (obsoleted by RFC 6631)
* [RFC 2222](http://www.ietf.org/rfc/rfc2222.txt) : Simple Authentication and Security Layer (SASL) (obsoleted by RFC 4422)