UnboundID Ms Chap V2 SASL Mechanism Handler

Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.

The UnboundID Ms Chap V2 SASL Mechanism Handler provides support for authenticating clients with the MS-CHAPv2 protocol described in RFC 2759.

The MS-CHAPv2 protocol relies on the MD4 digest algorithm and the DES encryption algorithm, both of which are considered insecure. It also relies on user passwords being stored in a reversible form (e.g., using the AES password storage scheme), which is considered less secure than user passwords stored in a non-reversible form because an attacker may be able to decrypt the values in order to obtain their plain-text representations. This SASL mechanism handler should only be enabled for use in legacy environments where MS-CHAPv2 authentication is required. In order to mitigate the risk of exposing weakly-encoded credentials to anyone capable of observing network communication between the client and the server, this SASL mechanism handler can only be used to authenticate clients that are communicating with the server over a secure (e.g., via SSL or StartTLS) channel.
In the past, it was necessary to independently obtain the Bouncy Castle library and place it in the server's lib directory. This is no longer required, as the server ships with the necessary Bouncy Castle library.
This SASL mechanism handler is not supported in servers running in FIPS 140-2-compliant mode.

Parent Component Relations from This Component Properties dsconfig Usage

Parent Component

The UnboundID Ms Chap V2 SASL Mechanism Handler component inherits from the SASL Mechanism Handler

Relations from This Component

The following components have a direct aggregation relation from UnboundID Ms Chap V2 SASL Mechanism Handlers:

Properties

The properties supported by this managed object are as follows:


Basic Properties: Advanced Properties:
 description  None
 enabled
 identity-mapper

Basic Properties

description

Description
A description for this SASL Mechanism Handler
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

enabled

Description
Indicates whether the SASL mechanism handler is enabled for use.
Default Value
None
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

identity-mapper

Description
The identity mapper that should be used to identify the entry associated with the username provided in the bind request.
Default Value
None
Allowed Values
The DN of any Identity Mapper. If this UnboundID Ms Chap V2 SASL Mechanism Handler is enabled, then the associated identity mapper must also be enabled.
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To list the configured SASL Mechanism Handlers:

dsconfig list-sasl-mechanism-handlers
     [--property {propertyName}] ...

To view the configuration for an existing SASL Mechanism Handler:

dsconfig get-sasl-mechanism-handler-prop
     --handler-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing SASL Mechanism Handler:

dsconfig set-sasl-mechanism-handler-prop
     --handler-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new UnboundID Ms Chap V2 SASL Mechanism Handler:

dsconfig create-sasl-mechanism-handler
     --handler-name {name}
     --type unboundid-ms-chap-v2
     --set enabled:{propertyValue}
     --set identity-mapper:{propertyValue}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing SASL Mechanism Handler:

dsconfig delete-sasl-mechanism-handler
     --handler-name {name}