Directory Services 7.3.5

CRAM-MD5 SASL Mechanism Handler

The CRAM-MD5 SASL mechanism provides the ability for clients to perform password-based authentication in a manner that does not expose their password in the clear.

Rather than including the password in the bind request, the CRAM-MD5 mechanism uses a two-step process in which the client needs only to prove that it knows the password. The server sends randomly-generated data to the client that is to be used in the process, which makes it resistant to replay attacks. The one-way message digest algorithm ensures that the original clear-text password is not exposed. Note that the algorithm used by the CRAM-MD5 mechanism requires that both the client and the server have access to the clear-text password (or potentially a value that is derived from the clear-text password). In order to authenticate to the server using CRAM-MD5, the password for a user’s account must be encoded using a reversible password storage scheme that allows the server to have access to the clear-text value.

Parent

The CRAM-MD5 SASL Mechanism Handler object inherits from SASL Mechanism Handler.

Dependencies

CRAM-MD5 SASL Mechanism Handlers depend on the following objects:

CRAM-MD5 SASL Mechanism Handler properties

You can use configuration expressions to set property values at startup time. For details, see Property value substitution.

Basic Properties Advanced Properties

enabled
identity-mapper

java-class

Basic properties

Use the --advanced option to access advanced properties.

enabled

Synopsis

Indicates whether the SASL mechanism handler is enabled for use.

Default value

None

Allowed values

true

false

Multi-valued

No

Required

Yes

Admin action required

None

Advanced

No

Read-only

No

identity-mapper

Synopsis

Specifies the name(s) of the identity mapper(s) used with this SASL mechanism handler to match the authentication ID included in the SASL bind request to the corresponding user in the directory.

Default value

None

Allowed values

The name of an existing identity-mapper.

The referenced identity mapper(s) must be enabled when the CRAM-MD5 SASL Mechanism Handler is enabled.

Multi-valued

Yes

Required

Yes

Admin action required

None

Advanced

No

Read-only

No

Advanced properties

Use the --advanced option to access advanced properties.

java-class

Synopsis

Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.

Default value

org.opends.server.extensions.CRAMMD5SASLMechanismHandler

Allowed values

A Java class that extends or implements:

  • org.opends.server.api.SASLMechanismHandler

Multi-valued

No

Required

Yes

Admin action required

The object must be disabled and re-enabled for changes to take effect.

Advanced

Yes

Read-only

No