HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

501

502

503

504

505

506

507

508

509

510

13 Managing SASL

HP-UX Directory Server supports LDAP client authentication through the Simple Authentication

and Security Layer (SASL), an alternative to TLS/SSL and a native way for some applications to

share information securely.

The SASL framework allows different mechanisms to be used to authenticate a user to the server,

depending on what mechanism is enabled in both client and server applications. SASL also

creates a layer for encrypted (secure) sessions. Using GSS-API, Directory Server utilizes Kerberos

tickets to authenticate sessions and encrypt data.

This chapter describes how to use SASL with Directory Server.

Topics include:

• “Overview of SASL in Directory Server” (page 501)

• “Configuring SASL identity mapping” (page 507)

• “Configuring SASL authentication at Directory Server startup” (page 509)

• “Using an external keytab” (page 509)

NOTE:

SASL encryption is not supported for client connections that use TLS/SSL.

13.1 Overview of SASL in Directory Server

Simple Authentication and Security Layer (SASL) is an abstraction layer between protocols like

LDAP and authentication methods like GSS-API which allows any protocol which can interact

with SASL to utilize any authentication mechanism that can work with SASL. Simply put, SASL

is an intermediary that makes authenticating to applications using different mechanisms easier.

SASL can also be used to establish an encrypted session between a client and server.

Directory Server uses SASL as an alternative TLS/SSL, particularly for environments that are

using Kerberos to implement single sign-on. Directory Server allows user to use SASL to

authenticate and bind to the server. This includes LDAP tools like ldapsearch and ldapmodify.

For example:

ldapsearch -p 389 -h server.example.com -o "mech=GSSAPI"

-o "authid=dn:uid=jsmith,ou=people,dc=example,dc=com" -o

realm=EXAMPLE.COM

NOTE:

SASL proxy authorization is not supported in Directory Server; therefore, Directory Server ignores

any SASL authzid value supplied by the client.

Two primary pieces of information are required to use SASL with Directory Server:

• The authentication method, in this example GSS-API

• The user as whom you are authenticating (the authid or authorization ID)

Other information, such as the Kerberos realm, can also be passed with the command. The SASL

options for Directory Server tools are described more in the HP-UX Directory Server configuration,

command, and file reference.

When a client connects to Directory Server using SASL, the Directory Server takes the identity

offered as the SASL authid and maps that entry back to an entry in the Directory Server. If the

authid is defined as a DN (as in authid=dn:DN), this is done simply by matching the DN. It

is also possible to use a username or a part of a DN, and these can be mapped to the directory

entry using SASL identity mappings.

13.1 Overview of SASL in Directory Server 501