directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Boreham <da...@bozemanpass.com>
Subject Re: [mina] SASL support
Date Thu, 05 May 2005 12:41:57 GMT
Vinod Panicker wrote:

>Hi,
>
>Basically got to thinking on this and realized that it wouldn't be
>proper if SASL support is integrated into MINA.  SASL is supposed to
>be utilized by existing protocols as a means of providing
>authentication.  Its not an independent protocol in itself.  In the
>case of ApacheDS, the LDAP protocol would be carrying SASL data as
>well.  So actually SASL should be implemented by the ProtocolHandler
>rather than as a MINA filter.
>  
>
Actually I don't think so. There are two aspects to SASL:
authentication and 'encryption'. What you are saying is correct
for the authentication part : for example in the case of LDAP
the SASL payload is sent inside the regular BIND request PDU.

However, for 'sasl encryption' the actual packets sent on the wire
are wrapped by an encryption layer in much the same way as
SSL. In implementing this it is necessary to get at the raw byte
stream from the socket. To me this looks exactly like task for a mina 
filter.

Now, it turns out that not many deployed apps actually use
sasl encryption. The one I'm most familiar with is Kerberos.
i.e. if you initiate an LDAP session with SASL and the Kerberos
mechansim, you can negotiate encryption using SASL, which
actually ends up being done by Kerberos. Same goes I believe
for at least one of the MD5-based mechanisms.

Quite a few existing LDAP servers support SASL encryption, FWIW.

See the Cyrus SASL kerberos plugin source code for more
details on this.







Mime
View raw message