directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vinod Panicker <vino...@gmail.com>
Subject Re: [mina] SASL support
Date Sat, 07 May 2005 05:36:58 GMT
Hi David,

On 5/6/05, David Boreham <david@bozemanpass.com> wrote:
> Vinod Panicker wrote:
> 
--snip--
> >
> Unfortunately 'sasl' means many things.
> However, there certainly is encryption defined in RFC2222 for the GSSAPI
> mechansim
> and it's in common use in the wild (RFC2222 calls it the 'security layer').

Yes, encryption is defined in the Kerberos, GSSAPI "mechanisms".

The Security Layer of "Simple Authentication and Security Layer"
refers to an optional security layer that can be inserted after
authentication is completed for exchanging the protocol data.

> If you ever come to implement it for LDAP in Apache DS, I will eat my
> keyboard if you
> do not end up writing a mina filter. 

I sure hope you have a tasty keyboard :)
But its starting to seem to me that we are talking abt different
things.  Lets take a different approach.  Lets assume that we do
implement an SASL filter in MINA.  In that case, the filter would need
to -

1 - support different mechanisms such as EXTERNAL, DIGEST-MD5, GSSAPI,
KERBEROS etc.
2 - provide encryption support as desired by each mechanism
3 - provide facility to negotiate an optional security layer after
authentication is done
4 - parse the application protocol so it can get the SASL payload
5 - support/decline multiple authentications per session depending on
the application protocol in use

If you agree with the above, we can have a poll on this.

> You are correct that the specific
> relationship between
> the security layer PDUs and the transport do depend on the application
> protocol in use.
> My comments in this thread have been in the context of LDAP as the
> application protocol.

Also, MINA needs to be able to work with different application layer protocols.

--snip--

Regards,
Vinod.

Mime
View raw message