A.3. Using SASL with LDAP Client Tools

Directory Server uses SASL for authentication and network security, particularly for environments which are using Kerberos to implement single sign-on. Directory Server allows user to use SASL to authenticate and bind to the server and then to encrypt (secure) the network connection to the server.
SASL authentication and security include LDAP tools like ldapsearch and ldapmodify. For example:
ldapsearch -O noplain,minssf=1,maxbufsize=512 -Y GSSAPI -U "dn:uid=jsmith,ou=people,dc=example,dc=com" -R EXAMPLE.COM ...
The SASL-related LDAP tool parameters are listed in Table A.2, “LDAP Client Tool SASL Parameters”.

Note

SASL proxy authorization is not supported in Directory Server; therefore, Directory Server ignores any SASL authzid value supplied by the client.
Two primary pieces of information are required to use SASL with Directory Server:
  • The authentication method, in this example GSS-API
  • The user as whom you are authenticating (the authorization ID)
Other information, such as the Kerberos realm, can also be passed with the command.
When a client connects to Directory Server using SASL, the Directory Server takes the identity offered as the SASL authid and maps that entry back to an entry in the Directory Server. If the authid is defined as a DN (as in authid=dn:DN), this is done simply by matching the DN. It is also possible to use a user name or a part of a DN, and these can be mapped to the directory entry using SASL identity mappings.

Table A.2. LDAP Client Tool SASL Parameters

Option Description Allowed Values
-O Optional. Sets the security properties for the connection.
All mechanisms:
  • noplain — Do not permit mechanisms susceptible to simple passive attack.
  • noanonymous — Do not permit mechanisms that allow anonymous access.
  • minssf — Require a minimum security strength; this option needs a numeric value specifying bits of encryption. A value of - 1 means integrity is provided without privacy.
  • maxssf — Require a maximum security strength; this option needs a numeric value specifying bits of encryption. A value of - 1 means integrity is provided without privacy.
CRAM-MD mechanism only:
  • noactive — Do not permit mechanisms susceptible to active attacks.
  • nodict — Do not permit mechanisms susceptible to passive dictionary attacks.
  • forwardsec — Require forward secrecy.
  • passcred — Attempt to pass client credentials.
  • maxbufsize — Set the maximum receive buffer size the client will accept when using integrity or privacy settings.
-R Gives the Kerberos realm. Depends on the mechanism.
-U Gives the ID used to authenticate to the server.
  • UID. For example, msmith.
  • u: uid. For example, u: msmith.
  • dn: dn_value. For example, dn: uid=msmith,ou=People,o=example.com.
-Y Sets the SASL authentication mechanism to use.
  • GSSAPI
  • CRAM-MD5
  • DIGEST-MD5
  • EXTERNAL
  • PLAIN