directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Boreham <>
Subject Re: [mina] SASL support
Date Mon, 09 May 2005 23:13:30 GMT

>I guess we've been talking abt different things all this while. 
>You've been talking abt the optionally negotiated security layer and
>i've been talking abt the actual sasl payload (challenges/responses).
Yes ! I had hoped that I'd made this clear a while back. Apologies for that.

>I'd be doing an SASL impl with DIGEST-MD5 and EXTERNAL mechanisms in
>this week for XMPP.  These mechanisms do not have an optional security
>layer as the GSSAPI and Kerberos mechanisms do.  I've already done an
>SASL poc using jdk 1.5 and the DIGEST-MD5 mechanism.
The DIGEST-MD5 mechanism _does_ support privacy and integrity
using exactly the same layering design as does gssapi (for LDAP at any 
You can see the details of this in
(sections 2.3 and 2.4).
Microsoft implements this in AD, and so does Sun in their LDAP server.
Since it's support in Cyrus Sasl, a suitably built OpenLDAP would also
support MD5 with encryption. I've pasted a tiny bit of the Cyrus md5
plugin source code below for the unbelievers.
EXTERNAL does not have encryption, since it is designed for use with SSL,
encryption would be redundant.

>If the encryption is at a transport level, such as is with TLS/SSL, it
>would make great sense to implement a mina filter.  But the question
>since the beginning has been -
>Where would you handle the SASL challenge/responses?
They get picked up inside the processing of the LDAP BIND request.
So you need to enhance that code (the challenge/response payload
is inside the BER for the BIND request and BIND response).

Typically from there there is yet another abstraction interface which
one calls with the payload, suitably unpacked from the BER.

Said interface has provisions to supply payload back to the caller,
and also to inform the caller if the authentication has succeeded,
_and_ when and if to install a security layer ;)

And on and on...


    /* if privacy mode is used use these functions for encode and decode */
    cipher_function_t *cipher_enc;
    cipher_function_t *cipher_dec;
    cipher_init_t *cipher_init;
    cipher_free_t *cipher_free;
    struct cipher_context *cipher_enc_context;
    struct cipher_context *cipher_dec_context;
} context_t;

struct digest_cipher {
    char *name;
    sasl_ssf_t ssf;
    int n; /* bits to make privacy key */
    int flag; /* a bitmask to make things easier for us */

    cipher_function_t *cipher_enc;
    cipher_function_t *cipher_dec;
    cipher_init_t *cipher_init;
    cipher_free_t *cipher_free;

View raw message