HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

501

502

503

504

505

506

507

508

509

510

13.1.3 Authentication mechanisms for SASL in Directory Server

Directory Server support the following SASL encryption mechanisms:

• EXTERNAL

EXTERNAL, as with TLS/SSL, performs certificate-based authentication. This method uses

public keys for strong authentication.

• CRAM-MD5

CRAM-MD5 is a simple challenge-response authentication method. It does not establish any

security layer, unlike GSS-API. Both DIGEST-MD5 and GSS-API are much more secure, so

both of those methods are recommended over CRAM-MD5.

• DIGEST-MD5

DIGEST-MD5 is a mandatory authentication method for LDAPv3 servers. While it is not as

strong as public key systems or Kerberos authentication methods, it is preferred over plain

text passwords and does protect against plain text attacks.

• Generic Security Services (GSS-API)

Generic Security Services (GSS) is a security API that is the native way for UNIX-based

operating systems to access and authenticate Kerberos services. GSS-API also supports

session encryption, similar to TLS/SSL. (GSS-API is not compatible with TLS/SSL; they cannot

be used simultaneously.) This allows LDAP clients to authenticate with the server using

Kerberos version 5 credentials (tickets) and to use network session encryption.

For Directory Server to use GSS-API, Kerberos must be configured on the host machine. See

“About Kerberos with Directory Server”.

NOTE:

GSS-API and, thus, Kerberos are only supported on platforms that have GSS-API support.

To use GSS-API, it may be necessary to install the Kerberos client libraries; any required

Kerberos libraries will be available through the operating system vendor.

CRAM--MD5, DIGEST-MD5, and GSS-API are all shared secret mechanisms. The server challenges

the client attempting to bind with a secret, such as a password, that depends on the mechanism.

The user sends back the response required by the mechanism.

NOTE:

DIGEST-MD5 requires clear text passwords. The Directory Server requires the clear text password

in order to generate the shared secret. Passwords already stored as a hashed value, such as SHA1,

cannot be used with DIGEST-MD5.

13.1.4 About Kerberos with Directory Server

Kerberos v5 must be deployed on the host for Directory Server to utilize the GSS-API mechanism

for SASL authentication. GSS-API and Kerberos client libraries must be installed on the Directory

Server host to take advantage of Kerberos services.

HP-UX 11i supports HP Kerberos version 2.1

The concepts of Kerberos, as well as using and configuring Kerberos, are covered at the MIT

Kerberos website, http://web.mit.edu/Kerberos/.

13.1.4.1 About principals and realms

A principal is a user in the Kerberos environment. A realm is a set of users and the authentication

methods for those users to access the realm. A realm resembles a fully-qualified domain name

13.1 Overview of SASL in Directory Server 505