directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Boreham <>
Subject Re: [mina] SASL support
Date Sat, 07 May 2005 13:44:39 GMT

>> 4 - parse the application protocol so it can get the SASL payload
It occurred to me that this might be why you're confused about this.
In the case of LDAP, your statment above is incorrect (I don't know 
anything about
SASL with other protocols, so you may well be correct in non-LDAP cases).
With LDAP, SASL encryption is layered _below_ the application procotol.
That is, the encryption is done on the LDAP PDU byte stream,
potentially with framing that is not aligned with the LDAP PDUs.
It's essentially identically the same layering scenario as SSL/TLS.
And this is why I will not be eating my keyboard regardless of how tasty 
it might be.

(The SASL _authentication_ payload is carried in the LDAP protocol,
within the BIND requests and responses, but _encryption_ is done below
the LDAP protocol).

As I've said a few times already, a quick read of some code that
implements this will show how it works.

View raw message