| Title: 4.1.2 SASL Authentication |
| navPrev: 4.1.1-simple-authn.html |
| NavPrevText: 4.1.1 - Simple authentication |
| NavUp: 4.1-authentication.html |
| NavUpText: 4.1 - Authentication |
| NavNext: 4.1.2.1-sasl-plain-text-authn.html |
| NavNextText: 4.1.2.1 - SASL PLAIN text Authentication |
| Notice: Licensed to the Apache Software Foundation (ASF) under one |
| or more contributor license agreements. See the NOTICE file |
| distributed with this work for additional information |
| regarding copyright ownership. The ASF licenses this file |
| to you under the Apache License, Version 2.0 (the |
| "License"); you may not use this file except in compliance |
| with the License. You may obtain a copy of the License at |
| . |
| http://www.apache.org/licenses/LICENSE-2.0 |
| . |
| Unless required by applicable law or agreed to in writing, |
| software distributed under the License is distributed on an |
| "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| KIND, either express or implied. See the License for the |
| specific language governing permissions and limitations |
| under the License. |
| |
| # 4.1.2 - SASL Authentication |
| |
| ## Chapter content |
| |
| * [4.1.2.1 - SASL PLAIN text Authentication](4.1.2.1-sasl-plain-text-authn.html) |
| * [4.1.2.2 - SASL CRAM-MD5 Authentication](4.1.2.2-sasl-cram-md5-authn.html) |
| * [4.1.2.3 - SASL DIGEST-MD5 Authentication](4.1.2.3-sasl-digest-md5-authn.html) |
| * [4.1.2.4 - SASL GSSAPI Authentication](4.1.2.4-sasl-gssapi-authn.html) |
| * [4.1.2.5 - SASL EXTERNAL Authentication](4.1.2.5-sasl-external-authn.html) |
| * [4.1.2.6 - SASL NTLM Authentication](4.1.2.6-sasl-ntlm-authn.html) |
| |
| |
| ## Introduction |
| |
| **SASL** authentication is based on a standard described in [RFC 4422](http://www.ietf.org/rfc/rfc4422.txt). **SASL** means **S**imple **A**uthentication and **S**ecurity **L**ayer. |
| |
| It extends the Simple authentication, by allowing the LDAP server to authenticate the user by various mechanisms. |
| |
| The **SASL* Authentication is used when a simple user/password authentication is not enough, or when one want to delegate authentication to another system. Many other systems exist, and may take many parameters to authenticate a user. With **SASL**, a challenge/response system is used to get the needed information from the client, up to the point the authentication is either successful or fails. |
| |
| As **ApacheDS** is based on Java, we only support the **SASL** mechanisms the JDK supports : |
| |
| * PLAIN : cleartext user/password authentication |
| * CRAM-MD5 : IMAP/POP authentication |
| * DIGEST-MD5 : Http Digest authentication |
| * GSSAPI : Kerberos authentication |
| * EXTERNAL : External authentication |
| * NTLM : NTLM authentication |
| * GSS-SPNEGO : The SPNEGO authentication |
| |
| It's important to notice that some of those mechanisms are either useless (PLAIN) or obsolete (DIGEST-MD5). |
| |
| It's of course possible to modify the list of supported **SASL** mechanisms, by updating the server's configuration. The list of mechanisms is stored as entries under the following **DN** : |
| |
| :::Text |
| ou=saslMechHandlers,ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config |
| |
| One can also check the configured **SASL** mchanisms on the server by sending a _SeachRequest_ to the server, on the _RootDSE_, looking for the _supportedSASLMechanisms_. Here is the esult on ApacheDS 2.0.0 : |
| |
| ![ApacheDS supported SASL mechanisms](images/supported-sasl-mechanisms.png) |
| |
| Configuring this list can also be done using **Studio ApacheDS Configuration** plugin : |
| |
| ![ApacheDS SASL mechanisms configuration](images/sasl-mechanisms-config.png) |
| |
| ## Usage and security |
| |
| Most of the existing **SASL** mechanisms are just either useless (**PLAIN**, **ANONYMOUS**) or too weak to be used in a secured environment (**DIGEST-MD5** or **CRAM-MD5**). |
| |
| A new **SASL** mechanism has been designed to replace the last two mechanisms : **SCRAM** ([RFC 5802](http://www.ietf.org/rfc/rfc5802.txt)). |
| |
| In any case, if you are using one of those mechanisms, be sure to activate **TLS**. |
| |
| |
| ## Specifications |
| |
| The SASL specifications are defined by an [IETF Working Group](http://datatracker.ietf.org/wg/sasl/) which has published the following proposed standards : |
| |
| * [RFC 4013](http://www.ietf.org/rfc/rfc4013.txt) : SASLprep: Stringprep Profile for User Names and Passwords |
| * [RFC 4422](http://www.ietf.org/rfc/rfc4422.txt) : Simple Authentication and Security Layer (SASL) |
| * [RFC 4505](http://www.ietf.org/rfc/rfc4505.txt) : Anonymous Simple Authentication and Security Layer (SASL) Mechanism |
| * [RFC 4616](http://www.ietf.org/rfc/rfc4616.txt) : The PLAIN Simple Authentication and Security Layer (SASL) Mechanism |
| * [RFC 4752](http://www.ietf.org/rfc/rfc4752.txt) : The Kerberos V5 ("GSSAPI") Simple Authentication and Security Layer |
| (SASL) Mechanism |
| * [RFC 5801](http://www.ietf.org/rfc/rfc5801.txt) : Using Generic Security Service Application Program Interface (GSS-API) |
| Mechanisms in Simple Authentication and Security Layer (SASL): The GS2 Mechanism Family |
| * [RFC 5802](http://www.ietf.org/rfc/rfc5802.txt) : Salted Challenge Response Authentication Mechanism (SCRAM) SASL |
| and GSS-API Mechanisms |
| |
| Some other RFCs have been published, for each specific mechanisms, some of them are obsoleted by more recent RFCs : |
| |
| * [RFC 2595](http://www.ietf.org/rfc/rfc2595.txt) : Using TLS with IMAP, POP3 and ACAP (updated by RFC 4616) |
| * [RFC 2195](http://www.ietf.org/rfc/rfc2195.txt) : IMAP/POP AUTHorize Extension for Simple Challenge/Response |
| * [RFC 2831](http://www.ietf.org/rfc/rfc2831.txt) : Using Digest Authentication as a SASL Mechanism (obsoleted by RFC 6631) |
| * [RFC 2222](http://www.ietf.org/rfc/rfc2222.txt) : Simple Authentication and Security Layer (SASL) (obsoleted by RFC 4422) |
| |
| |