![]() ![]() ![]() ![]() |
Security |
Different versions of the LDAP support different types of authentication. The LDAP v2 defines three types of authentication: anonymous, simple (cleartext password), and Kerberos V4.The LDAP v3 supports anonymous, simple and authentication using the Simple Authentication and Security Layer (SASL) authentication framework (RFC 2222) to allow different authentication mechanisms to be used with the LDAP protocol. SASL specifies a challenge-response protocol in which data is exchanged between the client and the server for the purposes of authentication and establishment of a security layer on which to carry out subsequent communication.
By using SASL, the LDAP protocol can support any type of authentication agreed upon by the LDAP client and server. There are several SASL mechanisms currently defined:
Of the mechanisms on this list, popular LDAP servers (such as those from Netscape, Innosoft, and Sun) currently support CRAM-MD5 and External. draft-ietf-ldapext-authmeth-03.txt proposes using DIGEST-MD5 (replacing CRAM-MD5) as the mandatory default mechanisms for LDAP v3 servers. All LDAP servers support anonymous and simple (using the LDAP protocol and not using SASL).
- DIGEST-MD5 ( draft-leach-digest-sasl-01.txt)
- Anonymous (RFC 2245)
- External (RFC 2222)
- S/Key (RFC 2222)
- GSSAPI (RFC 2222)
- Kerberos V4 (RFC 2222)
- CRAM-MD5 (RFC 2195)
This lesson contains descriptions of how to authenticate using anonymous, simple, and CRAM-MD5. These are the mechanisms currently supported by Sun's LDAP service provider. Support for general SASL mechanisms is planned for a future version of the LDAP service provider.
Specifying the Authentication Mechanism
The authentication mechanism is specified using the Context.SECURITY_AUTHENTICATION(java.naming.security.authentication) environment property. This property can have one of the following values:
CRAM-MD5 - use the CRAM-MD5 (RFC-2195) SASL mechanism none - use no authentication (anonymous) simple - use weak authentication (clear-text password) The Default Mechanism
If the client does not specify any authentication environment properties, the default authentication mechanism is none. The client will then be treated as an anonymous client.If the client specifies authentication information without explicitly specifying the Context.SECURITY_AUTHENTICATION property, the default authentication mechanism is CRAM-MD5.
Note: The Netscape Directory Server 3.11 supports the CRAM-MD5 authentication mechanism only if you install some additional software on the server. Otherwise, attempting to use CRAM-MD5 with the server results in a CommunicationExceptionbeing thrown. If you need to authenticate against a Netscape server, you usually use "simple".
![]() ![]() ![]() ![]() |
Security |