SASL + LDAP = Better Centralized Authentication

SASL (Simple Authentication and Security Layer) is an Internet standard that enables the Internet messaging protocols and LDAP (Lightweight Directory Access Protocol) to use a wide range of authentication mechanisms. Last week, an updated version was approved to replace RFC 2222.

SASL is an important, but less well known, member of the Internet messaging and directory protocol family. It is generally thought of as a way to use alternate authentication mechanisms, but there is another feature of SASL that is also important.

Many applications, and in particular custom Web applications, use LDAP as an authentication mechanism to verify the user name and password provided by the application. Working in this way is a very sensible approach for many organizations, as it allows a simple centralized authentication mechanism. This is achieved by the application binding to the directory as the user. As LDAP binds require use of the full directory name of the user, the application will generally first make an anonymous bind to the directory and then search the directory for the user name supplied by the application in order to determine the directory name needed for the second bind that does the actual authentication.

Use of SASL in conjunction with LDAP offers a much better solution. SASL enables use of authentication with the user name supplied by the application, and performs the mapping to the directory name on the server side. This has the advantage of avoiding anonymous -- i.e., insecure -- directory operations. It also has a big operational advantage, as the algorithm to map from user name to directory name is managed in one place (on the directory server) rather than needing to be maintained in every application that works in this manner.

Using SASL in this way is currently unusual, but will become increasingly common.

... Steve Kille (editor: Richi Jennings)

Post a comment

You must be logged in to post a comment. To comment, first join our community.