A.3. Using SASL with LDAP Client Tools

Directory Server uses SASL for authentication and network security, particularly for environments which are using Kerberos to implement single sign-on. Directory Server allows user to use SASL to authenticate and bind to the server and then to encrypt (secure) the network connection to the server.

SASL authentication and security include LDAP tools like ldapsearch and ldapmodify. For example:

ldapsearch -O noplain,minssf=1,maxbufsize=512 -Y GSSAPI -U "dn:uid=jsmith,ou=people,dc=example,dc=com" -R EXAMPLE.COM ...

The SASL-related LDAP tool parameters are listed in Table A.2, “LDAP Client Tool SASL Parameters”.

Note

SASL proxy authorization is not supported in Directory Server; therefore, Directory Server ignores any SASL authzid value supplied by the client.

Two primary pieces of information are required to use SASL with Directory Server:

The authentication method, in this example GSS-API
The user as whom you are authenticating (the authorization ID)

Other information, such as the Kerberos realm, can also be passed with the command.

When a client connects to Directory Server using SASL, the Directory Server takes the identity offered as the SASL authid and maps that entry back to an entry in the Directory Server. If the authid is defined as a DN (as in authid=dn:DN), this is done simply by matching the DN. It is also possible to use a user name or a part of a DN, and these can be mapped to the directory entry using SASL identity mappings.

Table A.2. LDAP Client Tool SASL Parameters

Option	Description	Allowed Values
-O	Optional. Sets the security properties for the connection.	All mechanisms: noplain — Do not permit mechanisms susceptible to simple passive attack. noanonymous — Do not permit mechanisms that allow anonymous access. minssf — Require a minimum security strength; this option needs a numeric value specifying bits of encryption. A value of `- 1` means integrity is provided without privacy. maxssf — Require a maximum security strength; this option needs a numeric value specifying bits of encryption. A value of `- 1` means integrity is provided without privacy. CRAM-MD mechanism only: noactive — Do not permit mechanisms susceptible to active attacks. nodict — Do not permit mechanisms susceptible to passive dictionary attacks. forwardsec — Require forward secrecy. passcred — Attempt to pass client credentials. maxbufsize — Set the maximum receive buffer size the client will accept when using integrity or privacy settings.
-R	Gives the Kerberos realm.	Depends on the mechanism.
-U	Gives the ID used to authenticate to the server.	UID. For example, `msmith`. u: uid. For example, `u: msmith`. dn: dn_value. For example, `dn: uid=msmith,ou=People,o=example.com`.
-Y	Sets the SASL authentication mechanism to use.	GSSAPI CRAM-MD5 DIGEST-MD5 EXTERNAL PLAIN

Where did the comment section go?

Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories

A.3. Using SASL with LDAP Client Tools

Where did the comment section go?