title: 5.3 - SASL Bind navPrev: 5.2-start-tls.html navPrevText: 5.2 - StartTLS navUp: 5-ldap-security.html navUpText: 5 - LDAP Security navNext: 5.4-password-handling.html navNextText: 5.4 - Password Handling
Note: Work in progress...
5.3 - SASL Bind
SASL is defined by RFC 4422 which obsoletes RFC2222. There are also a few RFCs that are related to SASL, they are listed in the next paragraph.
In any case, as ApacheDS and the Apache LDAP API are based on Java, we depend on the Java SASL impementation. Typically, this is handled by the SunSASL provider, which only support the following mechanisms, as of Java 8 :
- PLAIN (Client)
- CRAM-MD5 (Client/Server)
- DIGEST-MD5 (Client/Server)
- GSSAPI (Client/Server)
- EXTERNAL (Client)
Note that in Java 9, those mechanisms are spread in two different providers, the GSSAPI mechanism being handled by the JdkSASL provider.
We currently don't support any other provider.
SASL Bind handling
The SASL framework may require more than one BindRequest/BindResponse to be exchanched, as ther server may need more information from the client. The client must be ready to deal with such situation, by controling the resturned result : SASL_BIND_IN_PROGRESS means more is required.
In any case, the client must send a first BindRequest with the proper information. We have dedicated methods to do so, based on the SASL mechanism to use :
- bindSaslPlain() : PLAIN mechanism
- bindSaslCramMd5() : CRAM-MD5 mechanism
- bindSaslDigestMd5() : DIGEST-MD5 mechanism
- bindSaslGssApi() : GSSAPI mechanism
- bindSaslExternal() : EXTERNAL mechaism
We don't support the SASL ANONYMOUS mechanism.
There is also a more generic method that anyone can use with any mechanism, assuming we have a class implementing it :
- bindSasl( Saslrequest )
It's just about using an instance of a class extending the SaslRequest interface.
Here is an example of a SASL bind, where we assume we have an entry which uid is “hnelson”, and a userPassword which is “secret” (note that the password must be in clear text in the server) :
:::java
LdapNetworkConnection connection = new LdapNetworkConnection( Network.LOOPBACK_HOSTNAME, getLdapServer().getPort() );
BindResponse resp = connection.bindSaslCramMd5( "hnelson", "secret" );
assertEquals( ResultCodeEnum.SUCCESS, resp.getLdapResult().getResultCode() );
RFCs
Here are the list of RFCs related to SASL:
: Informational
: Historic
: Proposed Standard
: Experimental
: Best current practice
Obsolete RFCs
| RFC | Description | Obsoleted by | Status |
|---|---|---|---|
| RFC 2222 | Simple Authentication and Security Layer (SASL) | RFC 4422, RFC 4752 | |
| RFC 2245 | Anonymous SASL Mechanism | RFC 4505 | |
| RFC 2831 | Using Digest Authentication as a SASL Mechanism | RFC 4505 | |
| RFC 4013 | SASLprep: Stringprep Profile for User Names and Passwords | RFC 7613 | |
| RFC 7613 | Preparation, Enforcement, and Comparison of Internationalized Strings Representing Usernames and Passwords | RFC 8265 | |
Active RFCs
| RFC | Description | Status |
|---|---|---|
| RFC 2444 | The One-Time-Password SASL Mechanism | |
| RFC 2808 | The SecurID(r) SASL Mechanism | |
| RFC 4422 | Simple Authentication and Security Layer (SASL) | |
| RFC 4505 | Anonymous Simple Authentication and Security Layer (SASL) Mechanism | |
| RFC 4616 | The PLAIN Simple Authentication and Security Layer (SASL) Mechanism | |
| RFC 4752 | The Kerberos V5 (“GSSAPI”) Simple Authentication and Security Layer (SASL) Mechanism | |
| RFC 5801 | Using Generic Security Service Application Program Interface (GSS-API) Mechanisms in Simple Authentication and Security Layer (SASL): The GS2 Mechanism Family | |
| RFC 5802 | Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms | |
| RFC 6331 | Moving DIGEST-MD5 to Historic | |
| RFC 7677 | SCRAM-SHA-256 and SCRAM-SHA-256-PLUS Simple Authentication and Security Layer (SASL) Mechanisms | |
| RFC 8265 | Preparation, Enforcement, and Comparison of Internationalized Strings Representing Usernames and Passwords | |