The directory server currently supports the following SASL mechanisms:
This mechanism does not actually authenticate clients, but does provide a mechanism for including trace information in server logs for debugging purposes.
This mechanism is provided for backward compatibility only. Do not configure CRAM-MD5 in a production environment. Use the DIGEST-MD5 mechanism instead, because it provides much better security.
This mechanism provides the ability for clients to use password-based authentication without sending the password to the server. Instead, the client only needs to provide information that proves it knows the password. This mechanism offers more options and better security than the CRAM-MD5 mechanism.
This mechanism provides the ability for clients to identify themselves based on information provided outside of the direct flow of LDAP communication. In OpenDS, this may be achieved through the use of SSL client certificates.
This mechanism provides the ability for clients to authenticate to the server through their participation in a Kerberos V5 environment.
This mechanism uses a password based authentication, but does offer the ability to use a username rather than requiring a DN.
Support for additional SASL mechanisms can be added by implementing custom SASL mechanism handlers in the server..
Because SASL mechanisms are so extensible, the set of information that the client needs to provide to the server in order to perform the authentication varies from one mechanism to another. As such, OpenDS clients use a generic interface for users to provide this information. This is exposed through the -o or --saslOption argument, and the value for this argument should be a name-value pair. Select which SASL mechanism to use using the mech option, for example:
The other options that are available for use depend on the SASL mechanism that has been chosen, as described in the following sections.