directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Faiz <n...@atlassian.com>
Subject Re: [Servser] SSL Support?
Date Fri, 23 Sep 2005 00:32:31 GMT
Hi,

David Boreham wrote:
> 
>> Thank you for your clarification!  So there are two ways for users to 
>> authenticate themselves in a secure manner; one with LDAPS and the 
>> other with SASL, right?
> 

Yes, David's explanation about external SASL auth. via certificates was 
helpful.

I've recently had to wrap my head about this stuff too. A nice way of 
being reminded that SASL is a generic mechanism allow for a variety of 
authentication methods is to ask the LDAP server which SASL methods of 
auth. it supports:

ldapsearch -D 'cn=admin,dc=acme,dc=org' -x -w ***** -s base -b '' 
objectclass=* supportedsaslmechanisms
# extended LDIF
#
# LDAPv3
# base <> with scope base
# filter: objectclass=*
# requesting: supportedsaslmechanisms
#

#
dn:
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: DIGEST-MD5

Via JNDI you specify which algorithm you want to use in the security 
protocol environment property. So, from the above, I can tell that the 
particular openldap instance supports two methods of SASL auth..


Nick


> 
> Not quite. SASL is the generic authentication framework.
> It has various alternative mechanisms. One of them is
> SASL-EXTERNAL, which basically says 'get the authentication
> credentials from the transport layer' (SSL in this case).
> There are other SASL mechanisms, such as GSSAPI
> where the credentials come in the BIND PDU payload.
> 
> So to perform cert-based auth to an LDAP server,
> you use both SSL and SASL.
> 
> 
> 


-- 
ATLASSIAN - http://www.atlassian.com/

Confluence - the enterprise wiki - tried it yet?
http://www.atlassian.com/confluence/
--

Mime
View raw message