HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
13.1.3 Authentication mechanisms for SASL in Directory Server
Directory Server support the following SASL encryption mechanisms:
• EXTERNAL
EXTERNAL, as with TLS/SSL, performs certificate-based authentication. This method uses public
keys for strong authentication.
• CRAM-MD5
CRAM-MD5 is a simple challenge-response authentication method. It does not establish any
security layer, unlike GSS-API. Both DIGEST-MD5 and GSS-API are much more secure, so both
of those methods are recommended over CRAM-MD5.
• DIGEST-MD5
DIGEST-MD5 is a mandatory authentication method for LDAPv3 servers. While it is not as
strong as public key systems or Kerberos authentication methods, it is preferred over plain
text passwords and does protect against plain text attacks.
• Generic Security Services (GSS-API)
Generic Security Services (GSS) is a security API that is the native way for UNIX-based
operating systems to access and authenticate Kerberos services. GSS-API also supports session
encryption, similar to TLS/SSL. (GSS-API is not compatible with TLS/SSL; they cannot be used
simultaneously.) This allows LDAP clients to authenticate with the server using Kerberos version
5 credentials (tickets) and to use network session encryption.
For Directory Server to use GSS-API, Kerberos must be configured on the host machine. See
“About Kerberos with Directory Server” (page 503).
NOTE:
GSS-API and, thus, Kerberos are only supported on platforms that have GSS-API support. To
use GSS-API, it may be necessary to install the Kerberos client libraries; any required Kerberos
libraries will be available through the operating system vendor.
CRAM--MD5, DIGEST-MD5, and GSS-API are all shared secret mechanisms. The server challenges
the client attempting to bind with a secret, such as a password, that depends on the mechanism.
The user sends back the response required by the mechanism.
NOTE:
DIGEST-MD5 requires clear text passwords. The Directory Server requires the clear text password
in order to generate the shared secret. Passwords already stored as a hashed value, such as SHA1,
cannot be used with DIGEST-MD5.
13.1.4 About Kerberos with Directory Server
Kerberos v5 must be deployed on the host for Directory Server to utilize the GSS-API mechanism
for SASL authentication. GSS-API and Kerberos client libraries must be installed on the Directory
Server host to take advantage of Kerberos services.
HP-UX 11i supports HP Kerberos version 2.1
The concepts of Kerberos, as well as using and configuring Kerberos, are covered at the MIT
Kerberos website, http://web.mit.edu/Kerberos/.
13.1.4.1 About principals and realms
A principal is a user in the Kerberos environment. A realm is a set of users and the authentication
methods for those users to access the realm. A realm resembles a fully-qualified domain name and
can be distributed across either a single server or a single domain across multiple machines. A
single server instance can also support multiple realms.
13.1 Overview of SASL in Directory Server 503