Return-Path: Delivered-To: apmail-directory-dev-archive@www.apache.org Received: (qmail 17075 invoked from network); 23 Sep 2005 00:35:03 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 23 Sep 2005 00:35:03 -0000 Received: (qmail 37731 invoked by uid 500); 23 Sep 2005 00:35:02 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 37528 invoked by uid 500); 23 Sep 2005 00:35:01 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 37515 invoked by uid 99); 23 Sep 2005 00:35:01 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 22 Sep 2005 17:35:01 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: local policy) Received: from [64.39.31.158] (HELO zeus.atlassian.com) (64.39.31.158) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 22 Sep 2005 17:35:08 -0700 Received: from [192.168.0.44] (b128D.static.pacific.net.au [202.7.87.141]) (authenticated) by zeus.atlassian.com (8.11.6/8.11.6) with ESMTP id j8N0cCE31880 for ; Thu, 22 Sep 2005 19:38:12 -0500 Message-ID: <43334D1F.1020907@atlassian.com> Date: Fri, 23 Sep 2005 10:32:31 +1000 From: Nick Faiz User-Agent: Mozilla Thunderbird 1.0.6-1.1.fc3 (X11/20050720) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Apache Directory Developers List Subject: Re: [Servser] SSL Support? References: <768dcb2e05092207562df38742@mail.gmail.com> <4332C814.2060604@bozemanpass.com> In-Reply-To: <4332C814.2060604@bozemanpass.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Hi, David Boreham wrote: > >> Thank you for your clarification! So there are two ways for users to >> authenticate themselves in a secure manner; one with LDAPS and the >> other with SASL, right? > Yes, David's explanation about external SASL auth. via certificates was helpful. I've recently had to wrap my head about this stuff too. A nice way of being reminded that SASL is a generic mechanism allow for a variety of authentication methods is to ask the LDAP server which SASL methods of auth. it supports: ldapsearch -D 'cn=admin,dc=acme,dc=org' -x -w ***** -s base -b '' objectclass=* supportedsaslmechanisms # extended LDIF # # LDAPv3 # base <> with scope base # filter: objectclass=* # requesting: supportedsaslmechanisms # # dn: supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: DIGEST-MD5 Via JNDI you specify which algorithm you want to use in the security protocol environment property. So, from the above, I can tell that the particular openldap instance supports two methods of SASL auth.. Nick > > Not quite. SASL is the generic authentication framework. > It has various alternative mechanisms. One of them is > SASL-EXTERNAL, which basically says 'get the authentication > credentials from the transport layer' (SSL in this case). > There are other SASL mechanisms, such as GSSAPI > where the credentials come in the BIND PDU payload. > > So to perform cert-based auth to an LDAP server, > you use both SSL and SASL. > > > -- ATLASSIAN - http://www.atlassian.com/ Confluence - the enterprise wiki - tried it yet? http://www.atlassian.com/confluence/ --