Manualshelf

Red Hat Directory Server 8.0 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Red Hat Directory Server Software
441442443444445446447448449450
Managing SASL
Red Hat Directory Server supports LDAP client authentication through the Simple
Authentication and Security Layer (SASL), an alternative to TLS/SSL and a native way for some
applications to share information securely.
Directory Server supports SASL authentication using the DIGEST-MD5 and GSS-API
mechanisms, allowing Kerberos tickets to authenticate sessions and encrypt data. This chapter
describes how to use SASL with Directory Server.
SASL is a framework, meaning it sets up a system that allows different mechanisms to be used
to authenticate a user to the server, depending on what mechanism is enabled in both client
and server applications.
SASL can also set up a security layer for an encrypted session. Directory Server utilizes the
GSS-API mechanism to encrypt data during sessions.
NOTE
SASL data encryption is not supported for client connections that use TLS/SSL.
1. Authentication Mechanisms
Directory Server support the following SASL encryption mechanisms:
EXTERNAL. The EXTERNAL authentication mechanism is utilized by services such as
TLS/SSL. It can be used with public keys for strong authentication, such as client
certificate-based authentication.
CRAM-MD5. CRAM-MD5 is a simple challenge-response authentication method that provides
no security layer. Red Hat recommends using a more secure mechanism such as
DIGEST-MD5 or GSS-API.
DIGEST-MD5. DIGEST-MD5 is a mandatory authentication method for LDAPv3 servers. While
it is not as strong as public key systems or Kerberos authentication methods, it is preferred
over plain text passwords and does protect against plain text attacks.
Generic Security Services (GSS-API). Generic Security Services (GSS) is a security API that
is the native way for UNIX-based operating systems to access and authenticate Kerberos
services. GSS-API also supports session encryption, similar to TLS/SSL. (However, GSS-API
is not compatible with TLS/SSL; they cannot be used simultaneously.) This allows LDAP
clients to authenticate with the server using Kerberos version 5 credentials (tickets) and to
use network session encryption.
Chapter 12.
421