Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.
The UnboundID Ms Chap V2 SASL Mechanism Handler provides support for authenticating clients with the MS-CHAPv2 protocol described in RFC 2759.
This SASL mechanism handler requires the Bouncy Castle JCE provider, which is not included with the Directory Server, in order to simplify United States export control restrictions imposed on the distribution of cryptographic functionality. If you wish to use this feature, you must first obtain the necessary library from the Bouncy Castle website (https://bouncycastle.org/). This implementation has been compiled and tested with version 1.64 of the library, available in file https://www.bouncycastle.org/download/bcprov-jdk15on-164.jar. This file should be placed in the "lib" directory beneath the server install root. The server will need to be restarted for this library to be available for use.
The MS-CHAPv2 protocol relies on the MD4 digest algorithm and the DES encryption algorithm, both of which are considered insecure. It also relies on user passwords being stored in a reversible form (e.g., using the AES password storage scheme), which is considered less secure than user passwords stored in a non-reversible form because an attacker may be able to decrypt the values in order to obtain their plain-text representations. This SASL mechanism handler should only be enabled for use in legacy environments where MS-CHAPv2 authentication is required. In order to mitigate the risk of exposing weakly-encoded credentials to anyone capable of observing network communication between the client and the server, this SASL mechanism handler can only be used to authenticate clients that are communicating with the server over a secure (e.g., via SSL or StartTLS) channel.
↓Parent Component
↓Relations from This Component
↓Properties
↓dsconfig Usage
The UnboundID Ms Chap V2 SASL Mechanism Handler component inherits from the SASL Mechanism Handler
The following components have a direct aggregation relation from UnboundID Ms Chap V2 SASL Mechanism Handlers:
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| ↓ description | None |
| ↓ enabled | |
| ↓ identity-mapper |
| Description | A description for this SASL Mechanism Handler |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether the SASL mechanism handler is enabled for use. |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | This SASL mechanism handler implementation requires the Bouncy Castle JCE provider, which is not included with the Directory Server, in order to simplify United States export control restrictions imposed on the distribution of cryptographic functionality. If you wish to use this feature, you must first obtain the necessary library from the Bouncy Castle website (https://bouncycastle.org/). This implementation has been compiled and tested with version 1.64 of the library, available in file https://www.bouncycastle.org/download/bcprov-jdk15on-164.jar. This file should be placed in the "lib" directory beneath the server install root. The server will need to be restarted for this library to be available for use. |
| Description | The identity mapper that should be used to identify the entry associated with the username provided in the bind request. |
| Default Value | None |
| Allowed Values | The DN of any Identity Mapper. If this UnboundID Ms Chap V2 SASL Mechanism Handler is enabled, then the associated identity mapper must also be enabled. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
To list the configured SASL Mechanism Handlers:
dsconfig list-sasl-mechanism-handlers
[--property {propertyName}] ...
To view the configuration for an existing SASL Mechanism Handler:
dsconfig get-sasl-mechanism-handler-prop
--handler-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing SASL Mechanism Handler:
dsconfig set-sasl-mechanism-handler-prop
--handler-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new UnboundID Ms Chap V2 SASL Mechanism Handler:
dsconfig create-sasl-mechanism-handler
--handler-name {name}
--type unboundid-ms-chap-v2
--set enabled:{propertyValue}
--set identity-mapper:{propertyValue}
[--set {propertyName}:{propertyValue}] ...
To delete an existing SASL Mechanism Handler:
dsconfig delete-sasl-mechanism-handler
--handler-name {name}