directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Faiz <>
Subject Re: [Servser] SSL Support?
Date Fri, 23 Sep 2005 00:32:31 GMT

David Boreham wrote:
>> Thank you for your clarification!  So there are two ways for users to 
>> authenticate themselves in a secure manner; one with LDAPS and the 
>> other with SASL, right?

Yes, David's explanation about external SASL auth. via certificates was 

I've recently had to wrap my head about this stuff too. A nice way of 
being reminded that SASL is a generic mechanism allow for a variety of 
authentication methods is to ask the LDAP server which SASL methods of 
auth. it supports:

ldapsearch -D 'cn=admin,dc=acme,dc=org' -x -w ***** -s base -b '' 
objectclass=* supportedsaslmechanisms
# extended LDIF
# LDAPv3
# base <> with scope base
# filter: objectclass=*
# requesting: supportedsaslmechanisms

supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: DIGEST-MD5

Via JNDI you specify which algorithm you want to use in the security 
protocol environment property. So, from the above, I can tell that the 
particular openldap instance supports two methods of SASL auth..


> Not quite. SASL is the generic authentication framework.
> It has various alternative mechanisms. One of them is
> SASL-EXTERNAL, which basically says 'get the authentication
> credentials from the transport layer' (SSL in this case).
> There are other SASL mechanisms, such as GSSAPI
> where the credentials come in the BIND PDU payload.
> So to perform cert-based auth to an LDAP server,
> you use both SSL and SASL.


Confluence - the enterprise wiki - tried it yet?

View raw message