Directory Services 7.4.3

DIGEST-MD5 SASL Mechanism Handler (LEGACY)

LEGACY since 2.4.0: Deprecated by IETF. Alternative: Use any of the password storage schemes enabled by default.

The DIGEST-MD5 SASL mechanism is used to perform all processing related to SASL DIGEST-MD5 authentication.

The DIGEST-MD5 SASL mechanism is very similar to the CRAM-MD5 mechanism in that it allows for password-based authentication without exposing the password in the clear (although it does require that both the client and the server have access to the clear-text password). Like the CRAM-MD5 mechanism, it uses data that is randomly generated by the server to make it resistant to replay attacks, but it also includes randomly-generated data from the client, which makes it also resistant to problems resulting from weak server-side random number generation.

Parent

The DIGEST-MD5 SASL Mechanism Handler object inherits from SASL Mechanism Handler.

Dependencies

DIGEST-MD5 SASL Mechanism Handlers depend on the following objects:

DIGEST-MD5 SASL Mechanism Handler properties

You can use configuration expressions to set property values at startup time. For details, see Property value substitution.

Basic Properties Advanced Properties

enabled
identity-mapper
quality-of-protection
realm
server-fqdn

java-class

Basic properties

Use the --advanced option to access advanced properties.

enabled

Synopsis

Indicates whether the SASL mechanism handler is enabled for use.

Default value

None

Allowed values

true

false

Multi-valued

No

Required

Yes

Admin action required

None

Advanced

No

Read-only

No

identity-mapper

Synopsis

Specifies the name(s) of the identity mappers that are to be used with this SASL mechanism handler to match the authentication or authorization ID included in the SASL bind request to the corresponding user in the directory.

Default value

None

Allowed values

The name of an existing identity-mapper.

The referenced identity mapper(s) must be enabled when the DIGEST-MD5 SASL Mechanism Handler is enabled.

Multi-valued

Yes

Required

Yes

Admin action required

None

Advanced

No

Read-only

No

quality-of-protection

Synopsis

The name of a property that specifies the quality of protection the server will support.

Default value

none

Allowed values

  • confidentiality: Quality of protection equals authentication with integrity and confidentiality protection.

  • integrity: Quality of protection equals authentication with integrity protection.

  • none: QOP equals authentication only.

Multi-valued

No

Required

No

Admin action required

None

Advanced

No

Read-only

No

realm

Synopsis

Specifies the realms that is to be used by the server for DIGEST-MD5 authentication.

Description

If this value is not provided, then the server defaults to use the fully qualified hostname of the machine.

Default value

If this value is not provided, then the server defaults to use the fully qualified hostname of the machine.

Allowed values

Any realm string that does not contain a comma.

Multi-valued

No

Required

No

Admin action required

None

Advanced

No

Read-only

No

server-fqdn

Synopsis

Specifies the DNS-resolvable fully-qualified domain name for the server that is used when validating the digest-uri parameter during the authentication process.

Description

If this configuration attribute is present, then the server expects that clients use a digest-uri equal to "ldap/" followed by the value of this attribute. For example, if the attribute has a value of "directory.example.com", then the server expects clients to use a digest-uri of "ldap/directory.example.com". If no value is provided, then the server does not attempt to validate the digest-uri provided by the client and accepts any value.

Default value

The server attempts to determine the fully-qualified domain name dynamically.

Allowed values

The fully-qualified address that is expected for clients to use when connecting to the server and authenticating via DIGEST-MD5.

Multi-valued

No

Required

No

Admin action required

None

Advanced

No

Read-only

No

Advanced properties

Use the --advanced option to access advanced properties.

java-class

Synopsis

Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.

Default value

org.opends.server.extensions.DigestMD5SASLMechanismHandler

Allowed values

A Java class that extends or implements:

  • org.opends.server.api.SASLMechanismHandler

Multi-valued

No

Required

Yes

Admin action required

The object must be disabled and re-enabled for changes to take effect.

Advanced

Yes

Read-only

No