content/apacheds/advanced-ug/4.1.2.2-sasl-cram-md5-authn.mdtext - directory-site - Git at Google

 Title: 4.1.2.2 - SASL CRAM-MD5 Authentication
 NavPrev: 4.1.2.1-sasl-plain-text-authn.html
 NavPrevText: 4.1.2.1 - SASL PLAIN text Authentication
 NavUp: 4.1.2-sasl-authn.html
 NavUpText: 4.1.2 - SASL Authentication
 NavNext: 4.1.2.3-sasl-digest-md5-authn.html
 NavNextText: 4.1.2.3 - SASL DIGEST-MD5 Authentication
 Notice: Licensed to the Apache Software Foundation (ASF) under one
     or more contributor license agreements.  See the NOTICE file
     distributed with this work for additional information
     regarding copyright ownership.  The ASF licenses this file
     to you under the Apache License, Version 2.0 (the
     "License"); you may not use this file except in compliance
     with the License.  You may obtain a copy of the License at
     .
     http://www.apache.org/licenses/LICENSE-2.0
     .
     Unless required by applicable law or agreed to in writing,
     software distributed under the License is distributed on an
     "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
     KIND, either express or implied.  See the License for the
     specific language governing permissions and limitations
     under the License.

 # 4.1.2.2 - SASL CRAM-MD5 Authentication

 The **CRAM-MD5** **SASL** mechanism is defined by [RFC 2195](http://www.ietf.org/rfc/rfc2195.txt).

 We will have an exchange between the client, which will send an empty _Bind request_ (i.e., the username and credentials won't be sent the first time), and the server will return a challenge.

 <DIV class="warning" markdown="1">
 It's not recommended to use this mechanism.
 </DIV>

 ## Usage

 The client first send a _BindRequest_ with no credentials:

     :::Text
     MessageType : BIND_REQUEST
     Message ID : 1
         BindRequest
             Version : '3'
             Name : 'null'
             Sasl credentials
                 Mechanism :'CRAM-MD5'
                 Credentials : null

 The server will return a _BindResponse_ with a SASL_BIND_IN_PROGRESS status :

     :::Text
     MessageType : BIND_RESPONSE
     Message ID : 1
         BindResponse
             Ldap Result
                 Result code : (SASL_BIND_IN_PROGRESS) saslBindInProgress -- new
                 Matched Dn : ''
                 Diagnostic message : ''
             Server sasl credentials : '0x3C 0x2D 0x37 0x38 0x30 0x39 0x37 0x35 0x33 0x32 0x33 0x38 0x35 0x32 0x31 0x37 0x37 0x37 0x37 0x35 0x30 0x2E 0x31 0x33 0x36 0x35 0x34 0x31 0x31 0x39 0x32 0x37 0x30 0x33 0x30 0x40 0x6C 0x6F 0x63 0x61 0x6C 0x68 0x6F 0x73 0x74 0x3E '

 and will accordingly send a new _BindRequest_ with the appropriate credentials which have been hashed with the server's provided challenge token :

     :::Text
     MessageType : BIND_REQUEST
     Message ID : 2
         BindRequest
             Version : '3'
             Name : 'null'
             Sasl credentials
                 Mechanism :'CRAM-MD5'
                 Credentials : (omitted-for-safety)

 In any case, the full exchange aims at transferring the user's credential encrypted instead of passing it in clear text. Once the server receives the password, it will check it against the stored password which must be stored in clear text.

 When the server receives a **SASL PLAIN** bind request, it will look for the first entry which **uid** is equal to the provided value, starting from the server **searchBaseDN** position in the DIT.

 <DIV class="note" markdown="1">
 ApacheDS expect the given name to be stored in the **UID** Attribute. This is not configurable in this version of the server.
 </DIV>

 <DIV class="warning" markdown="1">
 The password must be stored in clear text on the server. This is a serious weakness...
 </DIV>
	Title: 4.1.2.2 - SASL CRAM-MD5 Authentication
	NavPrev: 4.1.2.1-sasl-plain-text-authn.html
	NavPrevText: 4.1.2.1 - SASL PLAIN text Authentication
	NavUp: 4.1.2-sasl-authn.html
	NavUpText: 4.1.2 - SASL Authentication
	NavNext: 4.1.2.3-sasl-digest-md5-authn.html
	NavNextText: 4.1.2.3 - SASL DIGEST-MD5 Authentication
	Notice: Licensed to the Apache Software Foundation (ASF) under one
	or more contributor license agreements. See the NOTICE file
	distributed with this work for additional information
	regarding copyright ownership. The ASF licenses this file
	to you under the Apache License, Version 2.0 (the
	"License"); you may not use this file except in compliance
	with the License. You may obtain a copy of the License at
	.
	http://www.apache.org/licenses/LICENSE-2.0
	.
	Unless required by applicable law or agreed to in writing,
	software distributed under the License is distributed on an
	"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	KIND, either express or implied. See the License for the
	specific language governing permissions and limitations
	under the License.

	# 4.1.2.2 - SASL CRAM-MD5 Authentication

	The CRAM-MD5 SASL mechanism is defined by [RFC 2195](http://www.ietf.org/rfc/rfc2195.txt).

	We will have an exchange between the client, which will send an empty _Bind request_ (i.e., the username and credentials won't be sent the first time), and the server will return a challenge.

	<DIV class="warning" markdown="1">
	It's not recommended to use this mechanism.
	</DIV>

	## Usage

	The client first send a _BindRequest_ with no credentials:

	:::Text
	MessageType : BIND_REQUEST
	Message ID : 1
	BindRequest
	Version : '3'
	Name : 'null'
	Sasl credentials
	Mechanism :'CRAM-MD5'
	Credentials : null

	The server will return a _BindResponse_ with a SASL_BIND_IN_PROGRESS status :

	:::Text
	MessageType : BIND_RESPONSE
	Message ID : 1
	BindResponse
	Ldap Result
	Result code : (SASL_BIND_IN_PROGRESS) saslBindInProgress -- new
	Matched Dn : ''
	Diagnostic message : ''
	Server sasl credentials : '0x3C 0x2D 0x37 0x38 0x30 0x39 0x37 0x35 0x33 0x32 0x33 0x38 0x35 0x32 0x31 0x37 0x37 0x37 0x37 0x35 0x30 0x2E 0x31 0x33 0x36 0x35 0x34 0x31 0x31 0x39 0x32 0x37 0x30 0x33 0x30 0x40 0x6C 0x6F 0x63 0x61 0x6C 0x68 0x6F 0x73 0x74 0x3E '

	and will accordingly send a new _BindRequest_ with the appropriate credentials which have been hashed with the server's provided challenge token :

	:::Text
	MessageType : BIND_REQUEST
	Message ID : 2
	BindRequest
	Version : '3'
	Name : 'null'
	Sasl credentials
	Mechanism :'CRAM-MD5'
	Credentials : (omitted-for-safety)

	In any case, the full exchange aims at transferring the user's credential encrypted instead of passing it in clear text. Once the server receives the password, it will check it against the stored password which must be stored in clear text.

	When the server receives a SASL PLAIN bind request, it will look for the first entry which uid is equal to the provided value, starting from the server searchBaseDN position in the DIT.

	<DIV class="note" markdown="1">
	ApacheDS expect the given name to be stored in the UID Attribute. This is not configurable in this version of the server.
	</DIV>

	<DIV class="warning" markdown="1">
	The password must be stored in clear text on the server. This is a serious weakness...
	</DIV>