HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
13 Managing SASL
HP-UX Directory Server supports LDAP client authentication through the Simple Authentication and
Security Layer (SASL), an alternative to TLS/SSL and a native way for some applications to share
information securely.
The SASL framework allows different mechanisms to be used to authenticate a user to the server,
depending on what mechanism is enabled in both client and server applications. SASL also creates
a layer for encrypted (secure) sessions. Using GSS-API, Directory Server utilizes Kerberos tickets
to authenticate sessions and encrypt data.
This chapter describes how to use SASL with Directory Server.
Topics include:
• “Overview of SASL in Directory Server” (page 499)
• “Configuring SASL identity mapping” (page 505)
• “Configuring SASL authentication at Directory Server startup” (page 507)
• “Using an external keytab” (page 507)
NOTE:
SASL encryption is not supported for client connections that use TLS/SSL.
13.1 Overview of SASL in Directory Server
Simple Authentication and Security Layer (SASL) is an abstraction layer between protocols like
LDAP and authentication methods like GSS-API which allows any protocol which can interact with
SASL to utilize any authentication mechanism that can work with SASL. Simply put, SASL is an
intermediary that makes authenticating to applications using different mechanisms easier. SASL
can also be used to establish an encrypted session between a client and server.
Directory Server uses SASL as an alternative TLS/SSL, particularly for environments that are using
Kerberos to implement single sign-on. Directory Server allows user to use SASL to authenticate and
bind to the server. This includes LDAP tools like ldapsearch and ldapmodify. For example:
ldapsearch -p 389 -h server.example.com -o "mech=GSSAPI"
-o "authid=dn:uid=jsmith,ou=people,dc=example,dc=com" -o
realm=EXAMPLE.COM
NOTE:
SASL proxy authorization is not supported in Directory Server; therefore, Directory Server ignores
any SASL authzid value supplied by the client.
Two primary pieces of information are required to use SASL with Directory Server:
• The authentication method, in this example GSS-API
• The user as whom you are authenticating (the authid or authorization ID)
Other information, such as the Kerberos realm, can also be passed with the command. The SASL
options for Directory Server tools are described more in the HP-UX Directory Server configuration,
command, and file reference.
When a client connects to Directory Server using SASL, the Directory Server takes the identity
offered as the SASL authid and maps that entry back to an entry in the Directory Server. If the
authid is defined as a DN (as in authid=dn:DN), this is done simply by matching the DN. It
is also possible to use a username or a part of a DN, and these can be mapped to the directory
entry using SASL identity mappings.
13.1 Overview of SASL in Directory Server 499