directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vinod Panicker <>
Subject Re: [mina] SASL support
Date Fri, 06 May 2005 13:01:13 GMT
OK, here's the explanation that I promised.

On 5/5/05, David Boreham <> wrote:
> Vinod Panicker wrote:

> Actually I don't think so. There are two aspects to SASL:
> authentication and 'encryption'. What you are saying is correct
> for the authentication part : for example in the case of LDAP
> the SASL payload is sent inside the regular BIND request PDU.

There is no "encryption" aspect to SASL.  SASL simply acts as a
container or as a definition of a challenge-response technique for
authentication.  The actual authentication is implemented by
mechanisms.  SASL was designed to be extensible - that is why there
are many different mechanisms that are available today.  Encryption as
a function would be specific to a mechanism.  Even I can define a new
mechanism tomorrow and have the data being transmitted over the wire
encrypted.  IMHO, the implementation of encryption/any other
functionality should be done within a mechanism.  It would be wrong to
state that this functionality is part of "SASL" - its part of a
"Mechanism".  Refer to
for a list of all registered SASL mechanisms.

> However, for 'sasl encryption' the actual packets sent on the wire
> are wrapped by an encryption layer in much the same way as
> SSL. In implementing this it is necessary to get at the raw byte
> stream from the socket. To me this looks exactly like task for a mina
> filter.

Disagree.  The SASL payload is supposed to be carried by the host
protocol, which can have its own way of defining how it will carry the
SASL payload.  It basically has to provide a conduit for the SASL
challenges/responses.  SSL is different in the sense that its at the
Transport layer.  The SASL payload is carried by an Application layer
protocol.  Its not necessary to get the raw byte stream since the
carrier protocol might state that the SASL payload has to be encoded
in a certain format - eg base64.  Here, the SASL data would be sent as
ASCII text.

> Now, it turns out that not many deployed apps actually use
> sasl encryption. The one I'm most familiar with is Kerberos.
> i.e. if you initiate an LDAP session with SASL and the Kerberos
> mechansim, you can negotiate encryption using SASL, which
> actually ends up being done by Kerberos. Same goes I believe
> for at least one of the MD5-based mechanisms.
> Quite a few existing LDAP servers support SASL encryption, FWIW.
> See the Cyrus SASL kerberos plugin source code for more
> details on this.

TLS is the perfect candidate for a MINA filter since it will
manipulate *all* data being sent over the wire.  An SASL mechanism
requiring encryption isnt coz the carrier protocol might define a
specific method of wrapping it.  MINA has to be protocol agnostic. 
Also, the SASL sequence comes into play usually only once for a user
session, whereas a filter is designed to be for a longer period -
mostly for the entire session.

Hope this makes it clear as to why having an SASL filter in MINA would
be a bad design decision.


View raw message