When a client binds to Directory Proxy Server with the Simple Authentication and Security Layer (SASL) external bind, Directory Proxy Server obtains the credentials of the client from the certificate, rather than from the bind DN.
The server obtains the credentials in one of two ways:
Considers the subject of the certificate as the bind DN of the client
Maps the certificate subject to data within its own database, to deduce the bind DN
SASL external bind cannot be used if Directory Proxy Server is configured for BIND replay. In BIND replay, Directory Proxy Server authenticates the client to a backend LDAP server by using the client DN and password. In SASL external bind, no password is provided by the client. Furthermore, the password that is stored in the user entry cannot be read in clear text. For information about bind replay, see Directory Proxy Server Configured for BIND Replay.
SSL can be used to protect subsequent interactions between the client and Directory Proxy Server.
For information about how to configure authentication by SASL external bind, see To Configure Directory Proxy Server for SASL External Bind in Oracle Fusion Middleware Administration Guide for Oracle Directory Server Enterprise Edition.