Simple Authentication and Security Layer (SASL) provides a way to use other mechanisms for authentication such as Kerberos or Digest authentication, or even to define your own authentication mechanism. The directory server likely advertises supported SASL mechanisms in the root DSE. The follow example shows how to search OpenDJ for supported SASL mechanisms.
$ ldapsearch --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN "" --searchScope base "(objectclass=*)" supportedSASLMechanisms dn: supportedSASLMechanisms: PLAIN supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5
Notice that neither the Kerberos (GSSAPI SASL) nor the Anonymous mechanism is enabled by default, though OpenDJ implements both.
In order to use a SASL mechanism to bind, your program must set up
a SASLBindRequest
and pass that to the
bind()
method of the Connection
.
This section shows an example using the SASL PLAIN mechanism, which
takes either a DN or a user ID to authenticate, with an optional DN or user
ID as the authorization ID that identifies the user who performs operations.
The SASL PLAIN mechanism itself does not secure the connection, so the
example uses StartTLS. The example is provided with the OpenDJ LDAP SDK
examples in org.forgerock.opendj.examples.SASLAuth.java
.
The following excerpt shows the core of the bind process.
try { final LDAPConnectionFactory factory = new LDAPConnectionFactory(host, port, getTrustAllOptions()); connection = factory.getConnection(); PlainSASLBindRequest request = Requests.newPlainSASLBindRequest(authcid, passwd.toCharArray()) .setAuthorizationID(authzid); connection.bind(request); System.out.println("Authenticated as " + authcid + "."); }
The implementation for getTrustAllOptions()
, the
same as in the example above, sets up Start TLS. When you run this example
with both authorization and authentication IDs, authzid
and authcid
, set to u:bjensen
and
password hifalutin
, the bind is successful, and the
program reaches the final line of the try
block.
Authenticated as u:bjensen.
Behind the scenes, OpenDJ has the SASL PLAIN mechanism configured by
default to use the Exact Match Identity Mapper to look up user IDs as
uid
values. If you use another directory server, you might
have to configure how it maps user IDs to user entries.
For a complete example in context, see SASLAuth.java, one of the OpenDJ LDAP SDK examples.