Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.
The UnboundID Ms Chap V2 SASL Mechanism Handler provides support for authenticating clients with the MS-CHAPv2 protocol described in RFC 2759.
The MS-CHAPv2 protocol relies on the MD4 digest algorithm and the DES encryption algorithm, both of which are considered insecure. It also relies on user passwords being stored in a reversible form (e.g., using the AES password storage scheme), which is considered less secure than user passwords stored in a non-reversible form because an attacker may be able to decrypt the values in order to obtain their plain-text representations. This SASL mechanism handler should only be enabled for use in legacy environments where MS-CHAPv2 authentication is required. In order to mitigate the risk of exposing weakly-encoded credentials to anyone capable of observing network communication between the client and the server, this SASL mechanism handler can only be used to authenticate clients that are communicating with the server over a secure (e.g., via SSL or StartTLS) channel.
In the past, it was necessary to independently obtain the Bouncy Castle library and place it in the server's lib directory. This is no longer required, as the server ships with the necessary Bouncy Castle library.
This SASL mechanism handler is not supported in servers running in FIPS 140-2-compliant mode.
The UnboundID Ms Chap V2 SASL Mechanism Handler component inherits from the SASL Mechanism Handler
The following components have a direct aggregation relation from UnboundID Ms Chap V2 SASL Mechanism Handlers:
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| description | None |
| enabled | |
| identity-mapper |
| Description | A description for this SASL Mechanism Handler |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether the SASL mechanism handler is enabled for use. |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The identity mapper that should be used to identify the entry associated with the username provided in the bind request. |
| Default Value | None |
| Allowed Values | The DN of any Identity Mapper. If this UnboundID Ms Chap V2 SASL Mechanism Handler is enabled, then the associated identity mapper must also be enabled. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
To list the configured SASL Mechanism Handlers:
dsconfig list-sasl-mechanism-handlers
[--property {propertyName}] ...
To view the configuration for an existing SASL Mechanism Handler:
dsconfig get-sasl-mechanism-handler-prop
--handler-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing SASL Mechanism Handler:
dsconfig set-sasl-mechanism-handler-prop
--handler-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new UnboundID Ms Chap V2 SASL Mechanism Handler:
dsconfig create-sasl-mechanism-handler
--handler-name {name}
--type unboundid-ms-chap-v2
--set enabled:{propertyValue}
--set identity-mapper:{propertyValue}
[--set {propertyName}:{propertyValue}] ...
To delete an existing SASL Mechanism Handler:
dsconfig delete-sasl-mechanism-handler
--handler-name {name}