Hi,
David Boreham wrote:
Thank you for your clarification! So there are two ways for users to
authenticate themselves in a secure manner; one with LDAPS and the
other with SASL, right?
Yes, David's explanation about external SASL auth. via certificates was
helpful.
I've recently had to wrap my head about this stuff too. A nice way of
being reminded that SASL is a generic mechanism allow for a variety of
authentication methods is to ask the LDAP server which SASL methods of
auth. it supports:
ldapsearch -D 'cn=admin,dc=acme,dc=org' -x -w ***** -s base -b ''
objectclass=* supportedsaslmechanisms
# extended LDIF
#
# LDAPv3
# base <> with scope base
# filter: objectclass=*
# requesting: supportedsaslmechanisms
#
#
dn:
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: DIGEST-MD5
Via JNDI you specify which algorithm you want to use in the security
protocol environment property. So, from the above, I can tell that the
particular openldap instance supports two methods of SASL auth..
Nick
Not quite. SASL is the generic authentication framework.
It has various alternative mechanisms. One of them is
SASL-EXTERNAL, which basically says 'get the authentication
credentials from the transport layer' (SSL in this case).
There are other SASL mechanisms, such as GSSAPI
where the credentials come in the BIND PDU payload.
So to perform cert-based auth to an LDAP server,
you use both SSL and SASL.
--
ATLASSIAN - http://www.atlassian.com/
Confluence - the enterprise wiki - tried it yet?
http://www.atlassian.com/confluence/
--
