directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r857720 - in /websites/staging/directory/trunk/content: ./ apacheds/advanced-ug/4.1.2.2-sasl-cram-md5-authn.html
Date Mon, 08 Apr 2013 09:58:31 GMT
Author: buildbot
Date: Mon Apr  8 09:58:31 2013
New Revision: 857720

Log:
Staging update by buildbot for directory

Modified:
    websites/staging/directory/trunk/content/   (props changed)
    websites/staging/directory/trunk/content/apacheds/advanced-ug/4.1.2.2-sasl-cram-md5-authn.html

Propchange: websites/staging/directory/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Mon Apr  8 09:58:31 2013
@@ -1 +1 @@
-1465562
+1465583

Modified: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.1.2.2-sasl-cram-md5-authn.html
==============================================================================
--- websites/staging/directory/trunk/content/apacheds/advanced-ug/4.1.2.2-sasl-cram-md5-authn.html
(original)
+++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4.1.2.2-sasl-cram-md5-authn.html
Mon Apr  8 09:58:31 2013
@@ -138,6 +138,52 @@
 
 
 <h1 id="4122-sasl-cram-md5-authentication">4.1.2.2 - SASL CRAM-MD5 Authentication</h1>
+<p>The <strong>CRAM-MD5</strong> <strong>SASL</strong> mechanism
is defined by <a href="http://www.ietf.org/rfc/rfc2195.txt">RFC 2195</a>.</p>
+<p>We will have an exchange between the client, which will send an empty <em>Bind
request</em> (ie, the username and credentials won't be sent the first time), and the
server will return a challenge.</p>
+<p>The client first send a <em>BindRequest</em> with no credentials:</p>
+<div class="codehilite"><pre>MessageType : BIND_REQUEST
+Message ID : 1
+    BindRequest
+        Version : &#39;3&#39;
+        Name : &#39;null&#39;
+        Sasl credentials
+            Mechanism :&#39;CRAM-MD5&#39;
+            Credentials : null
+</pre></div>
+
+
+<p>The server will return a <em>BindResponse</em> with a SASL_BIND_IN_PROGRESS
status :</p>
+<div class="codehilite"><pre>MessageType : BIND_RESPONSE
+Message ID : 1
+    BindResponse
+        Ldap Result
+            Result code : (SASL_BIND_IN_PROGRESS) saslBindInProgress -- new
+            Matched Dn : &#39;&#39;
+            Diagnostic message : &#39;&#39;
+        Server sasl credentials : &#39;0x3C 0x2D 0x37 0x38 0x30 0x39 0x37 0x35 0x33 0x32
0x33 0x38 0x35 0x32 0x31 0x37 0x37 0x37 0x37 0x35 0x30 0x2E 0x31 0x33 0x36 0x35 0x34 0x31
0x31 0x39 0x32 0x37 0x30 0x33 0x30 0x40 0x6C 0x6F 0x63 0x61 0x6C 0x68 0x6F 0x73 0x74 0x3E
&#39;
+</pre></div>
+
+
+<p>and will accordingly send a new <em>BindRequest</em> whith the appropriate
credentials whch has been hashed with the server's provided challenge token :</p>
+<div class="codehilite"><pre>MessageType : BIND_REQUEST
+Message ID : 2
+    BindRequest
+        Version : &#39;3&#39;
+        Name : &#39;null&#39;
+        Sasl credentials
+            Mechanism :&#39;CRAM-MD5&#39;
+            Credentials : (omitted-for-safety)
+</pre></div>
+
+
+<p>In any case, the full exchange aims at transfering the user's credential encrypted
instead of passing it in clear text. Once the server receives the password, it will check
it against the stored password which must be stored in clear text.</p>
+<p>When the server receives a <strong>SASL PLAIN</strong> bind request,
it will look for the first entry which <strong>uid</strong> is equal to the provided
value, starting from the server <strong>searchBaseDN</strong> position in the
DIT.</p>
+<p><DIV class="note" markdown="1">
+ApacheDS expect the given name to be stored in the <strong>UID</strong> Attribute.
This is not configurable in this version of the server.
+</DIV></p>
+<p><DIV class="warn" markdown="1">
+The password must be stored in clear text on the server. This is a serious weakness...
+</DIV></p>
 
 
     <div class="nav">



Mime
View raw message