SASL Authentication Options

Command-line tools that perform LDAP communication provide the ability to use either simple or SASL authentication. Simple authentication, in which the client specifies the DN and password for the user as whom to bind, is the most common type of authentication but may not be ideal in all situations. SASL (the Simple Authentication and Security Layer, as defined in RFC 4422) provides an extensible framework that clients may use to identify themselves to the server and potentially provide additional information about the interaction between the client and server.

Because SASL is an extensible framework, there are multiple mechanisms that may be used to authenticate which work in different ways and with varying levels of security. In order to specify the SASL mechanism to use when authenticating, the 'mech' SASL option must always be provided with a value equal to the name of the desired SASL mechanism. The set of additional options available for use varies based on the mechanism that has been selected. The supported SASL mechanisms and options available for use with them are provided below.

The ANONYMOUS SASL Mechanism

The ANONYMOUS mechanism does not actually perform any authentication, and therefore clients that use it should generally be treated in the same way as clients which have not performed any kind of authentication. However, it does allow clients to provide a trace string, which can be used to help identify the purpose of the associated connection or the application that is using it.

The SASL options available for use with the ANONYMOUS mechanism include:

The CRAM-MD5 SASL Mechanism

The CRAM-MD5 mechanism provides a way to perform password-based authentication in a manner that protects the password so that it is not transmitted over the network in the clear, even if the client is not using a secure connection (although it requires that the server be able to determine the clear-text representation of the user's password).

The SASL options available for use with the CRAM-MD5 mechanism include:

The DIGEST-MD5 SASL Mechanism

The DIGEST-MD5 mechanism provides a way to perform password-based authentication in a manner that protects the password so that it is not transmitted over the network in the clear, even if the client is not using a secure connection (although it requires that the server be able to determine the clear-text representation of the user's password). The DIGEST-MD5 mechanism operates in a manner that is similar to the CRAM-MD5 mechanism, except that DIGEST-MD5 is more secure and offers the ability to request an alternate authorization identity.

The SASL options available for use with the DIGEST-MD5 mechanism include:

The EXTERNAL SASL Mechanism

The EXTERNAL mechanism allows the client to authenticate using credentials supplied outside of the LDAP protocol but are still available to the server. In most cases, these credentials are in the form of an X.509 certificate that the client provides to the server during the process of SSL or StartTLS negotiation.

The SASL options available for use with the EXTERNAL mechanism include:

The GSSAPI SASL Mechanism

The GSSAPI mechanism allows the client to authenticate using Kerberos V. If the client already has an existing Kerberos session, then no further credentials may need to be provided. Otherwise, a new session may be established and used to authenticate to the server.

The SASL options available for use with the GSSAPI mechanism include:

The PLAIN SASL Mechanism

The PLAIN mechanism allows the client to authenticate using an identifier and password. It is similar to simple authentication, except that it is possible to identify the target user with either a username or DN, and it is also possible to request an alternate authorization identity.

The SASL options available for use with the PLAIN mechanism include:

The UNBOUNDID-DELIVERED-OTP SASL Mechanism

The UNBOUNDID-DELIVERED-OTP mechanism allows the client to perform multifactor authentication by combining a static password with a one-time password delivered to the user through some out-of-band mechanism.

The SASL options available for use with the UNBOUNDID-DELIVERED-OTP mechanism include:

The UNBOUNDID-TOTP SASL Mechanism

The UNBOUNDID-TOTP mechanism allows the client to perform multifactor authentication by combining a static password with a time-based one-time password.

The SASL options available for use with the UNBOUNDID-TOTP mechanism include:

The UNBOUNDID-YUBIKEY-OTP SASL Mechanism

The UNBOUNDID-YUBIKEY-OTP mechanism allows the client to perform multifactor authentication by combining a static password with a one-time password generated by a YubiKey device.

The SASL options available for use with the UNBOUNDID-YUBIKEY-OTP mechanism include: