SASL External Authentication

SASL allows an authentication established by non-LDAP means such as TLS to be used in LDAP.

Threats

  1. Re-usable credentials such as passwords are inherently weak. SASL External gives access to stronger authentication methods.

Controls

  1. Use SASL External authentication along with client-side X.509 certificates and TLS whenever possible. This combination provides a strong authentication that is protected against replay attacks.
  2. When LDAP client and server are running on the same machine, consider using SASL External with the LDAP-over-IPC transport described in draft-chu-ldap-ldapi-00.txt Note that this only authenticates the operating-system account that owns the client process: the ultimate end-user may be different if the LDAP client is itself a server process (e.g. a web server).

Application

Apply this control when client authentication is required and the client is either on the same machine as the server or can be securely provided with an X.509 certificate and matching key.

-- AndrewFindlay - 07 Oct 2011
Topic revision: r1 - 07 Oct 2011, AndrewFindlay - This page was cached on 06 Aug 2023 - 02:01.

This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback