SASL
Click on the red underlined text to get to the source
... unauthenticated, and name/password mechanisms, and the Simple
Authentication and Security Layer (SASL) method, which supports a
wide variety of authentication mechanisms ...
... security layers in Transport
Layer Security (TLS) or SASL mechanisms.
(4) Data confidentiality ...
... security layers in TLS
or SASL mechanisms.
(5) Server resource usage limitation by means of administrative
...
... TLS are available to LDAP only in
combination with the SASL EXTERNAL authentication method (see Section
5.2.3), and then only if the SASL EXTERNAL ...
... SASL EXTERNAL authentication method (see Section
5.2.3), and then only if the SASL EXTERNAL implementation chooses to
make use of the TLS credentials ...
... TLS is currently established on the session,
- when a multi-stage SASL negotiation is in progress on the
session, or
...
... client that has provided a suitable certificate subsequently
performs a Bind operation using the SASL EXTERNAL authentication
mechanism (Section 5.2.3), information in the certificate may be used
...
... SASL Authentication Method ...
... The sasl authentication method of the Bind Operation provides
facilities for using any SASL mechanism including authentication
mechanisms and other services (e.g., data security services ...
... LDAP.
Each protocol that utilizes SASL services is required to supply
certain information profiling the way they are exposed through the
...
... - The mechanism element of the SaslCredentials sequence contains
the value of the desired SASL mechanism.
- The optional credentials field of the SaslCredentials sequence
...
... RFC4422], Sections 3 and 5).
In general, a SASL authentication protocol exchange consists of a
series of server challenges and client ...
... series of server challenges and client responses, the contents of
which are specific to and defined by the SASL mechanism. Thus, for
some SASL authentication mechanisms ...
... which are specific to and defined by the SASL mechanism. Thus, for
some SASL authentication mechanisms, it may be necessary for the
client ...
... saslBindInProgress. This indicates that the server requires the
client to send a new BindRequest message with the same SASL mechanism
to continue the authentication process.
...
... OCTET STRING) in the SaslCredentials sequence of a BindRequest
message to transmit each response. Note that unlike some Internet
protocols where SASL is used, LDAP is not text based and does not
Base64 ...
...
A client may abort a SASL Bind negotiation by sending a BindRequest
message with a different value in the mechanism field of
...
... client to abort a
negotiation if it wishes to try again with the same SASL mechanism.
The server indicates completion of the SASL ...
... SASL mechanism.
The server indicates completion of the SASL challenge-response
exchange by responding with a BindResponse in which the resultCode
...
... As discussed above, LDAP provides an optional field for carrying an
initial response in the message initiating the SASL exchange and
provides an optional field for carrying additional data in the
message indicating the outcome of the authentication exchange ...
... authentication exchange. As
the mechanism-specific content in these fields may be zero length,
SASL requires protocol specifications to detail how an empty field is
distinguished from an absent field.
...
... PDU. If the client does not intend to send an initial
response with the BindRequest initiating the SASL exchange, it MUST
omit the SaslCredentials.credentials OCTET STRING (rather than
...
...
SASL layers take effect following the transmission by the server and
reception by the client ...
... by the server and
reception by the client of the final BindResponse in the SASL
exchange with a resultCode of success.
...
... exchange with a resultCode of success.
Once a SASL layer providing data integrity or confidentiality ...
... BindResponse of the Bind operation that caused the new layer to take
effect). Thus, an established SASL layer is not affected by a failed
or non-SASL ...
... Determination of Supported SASL Mechanisms ...
...
Clients may determine the SASL mechanisms a server supports by
reading the 'supportedSASLMechanisms' attribute from the root DSE ...
... root DSE both before and
after the SASL authentication exchange. The purpose of the latter is
to allow the client ...
... RFC4422], Section 6.1.2).
Because SASL mechanisms provide critical security functions, clients
and servers ...
... Rules for Using SASL Layers ...
... refresh
all information about the server that it obtained prior to the
initiation of the SASL negotiation and that it did not obtain through
secure mechanisms.
...
... If a lower-level security layer (such as TLS) is installed, any SASL
layer SHALL be layered on top of such security layers ...
... security layers regardless of
the order of their negotiation. In all other respects, the SASL
layer and other security layers ...
... SASL Authorization Identities ...
... Implementers must take care to maintain the semantics of SASL
specifications when handling data that has different semantics in the
...
...
A client can use the SASL EXTERNAL ([RFC4422], Appendix A) mechanism
to request the LDAP server ...
... credentials have not been established at a
lower security layer, the SASL EXTERNAL Bind MUST fail with a
resultCode of inappropriateAuthentication. Although this situation
has the effect of leaving the LDAP ...
... An implicit authorization identity assertion is performed by invoking
a Bind request of the SASL form using the EXTERNAL mechanism name
that does not include the optional credentials field (found within
...
... An explicit authorization identity assertion is performed by invoking
a Bind request of the SASL form using the EXTERNAL mechanism name
that includes the credentials field (found within the SaslCredentials
...
... privacy services (e.g., via StartTLS, IPsec, or a suitable SASL
mechanism) is subject to man-in-the-middle attacks ...
... discloses the password to the server, which is an inherent security
risk. There are other mechanisms, such as SASL DIGEST-MD5
[DIGEST-MD5 ...
... authentication or modification -- poses a significant security risk.
This risk can be avoided by using SASL authentication [RFC4422]
...
... name/password Bind with password value,
SASL Bind transmitting a password value in the clear, add or
...
... SASL Security Considerations ...
... attacker can modify the transmitted values of the
'supportedSASLMechanisms' attribute response and thus downgrade the
list of available SASL mechanisms to include only the least secure
mechanism. To detect this type of attack, the client ...
... attack, the client may retrieve
the SASL mechanisms the server makes available both before and after
data integrity service ...
... Melnikov, A., Ed. and K. Zeilenga, Ed., "Simple Authentication and Security Layer (SASL)", RFC 4422prop, June 2006. ...
... Leach, P., Newman, C., and A. Melnikov, "Using Digest Authentication as a SASL Mechanism", Work in Progress, March 2006. ...
... Zeilenga, K., "The Plain SASL Mechanism", Work in Progress, March 2005. ...
... identity presented by the client, but
it may be different. SASL allows clients to specify an authorization
identity distinct from the authentication ...
... name/password authentication mechanism (see Section B.2.5
below) protected by TLS replaces the SASL DIGEST-MD5 mechanism as
LDAP ...
... password-based authentication
mechanism. Implementations are encouraged to continue supporting
SASL DIGEST-MD5 [DIGEST-MD5].
...
...
- As the SASL-DIGEST-MD5 mechanism is no longer mandatory to
implement, this section is now historical and was not included in
...
... this document. RFC 2829(-> 4513prop | 4510prop), Section 6.1, continues to document the
SASL DIGEST-MD5 authentication mechanism.
...
... authentication mechanisms are explicitly allowed within
LDAP. Specifically, this means the SASL ANONYMOUS and SASL PLAIN
mechanisms are no longer precluded from use within LDAP ...
... LDAP. Specifically, this means the SASL ANONYMOUS and SASL PLAIN
mechanisms are no longer precluded from use within LDAP.
...