Chapter 14 Using SASL Authentication This chapter describes the process of using a SASL mechanism to authenticate an LDAP client to an LDAP server. The chapter includes the following sections:
This chapter describes the process of using a SASL mechanism to authenticate an LDAP client to an LDAP server.
"Understanding SASL"
"Preparing to Use SASL Authentication"
"Using SASL in the Client"
"For More Information"
the LDAP server must support at least one SASL mechanism
your client environment must support at least one of the SASL mechanisms supported by the server.
get information from a SASL bind request
create and send a SASL bind response back to the client.
This response can take the form of a challenge requiring an answer from the client, an error message, or a success message indicating that authentication is complete.
request a SASL client and specify the package in the javax.security.sasl.client.pkgs property of its Hashtable
set the package as the default factory for the session with Sasl.setSaslClientFactory.
Hashtable props = new Hashtable(); props.put ( "javax.security.sasl.client.pkgs", "mysecurity.sasl" ); ld.authenticate( dn, props, cbh );
Sasl.setSaslClientFactory (new mysecurity.sasl.ClientFactory() ); ld.authenticate( dn, props, cbh );
Locate the jaas.jar file
The file is included in the directory/java-sdk/ldapjdk/lib directory of the Directory SDK for Java. You can also download the release version of these classes and all subsequent updates at
http://java.sun.com:8081/security/jaas/index.html.
Add the jaas.jar file to your CLASSPATH
Import javax.security.auth.callback.* in your code.
class SampleCallbackHandler implements CallbackHandler { SampleCallbackHandler( String userName ) { userName = userName; } /** Invoke the requested Callback */ public void invokeCallback(Callback[] callbacks) throws java.io.IOException, UnsupportedCallbackException { for (int i = 0; i < callbacks.length; i++) { if (callbacks[i] instanceof TextOutputCallback) { // display the message according to the // specified STYLE TextOutputCallback toc = (TextOutputCallback)callbacks[i]; switch (toc.getStyle()) { case TextOutputCallback.ERROR: System.out.println("ERROR: " + toc.getMessage()); break; case TextOutputCallback.INFORMATION: System.out.println(toc.getMessage()); break; case TextOutputCallback.WARNING: System.out.println("WARNING: " + toc.getMessage()); break; } } else if (callbacks[i] instanceof TextInputCallback) { // prompt the user for information TextInputCallback tic = (TextInputCallback)callbacks[i]; // display the prompt like this: // prompt [default_reply]: System.err.print(tic.getPrompt() + " [" + tic.getDefaultText() + "]: "); System.err.flush(); BufferedReader reader = new BufferedReader( new InputStreamReader(System.in)); tic.setText(reader.readLine()); } else if (callbacks[i] instanceof NameCallback) { ((NameCallback)callbacks[i]).setName( _userName ); } else if (callbacks[i] instanceof PasswordCallback) { // prompt the user for sensitive information PasswordCallback pc = (PasswordCallback)callbacks[i]; System.err.print(pc.getPrompt() + " "); System.err.flush(); pc.setPassword(readPassword(System.in)); } else if (callbacks[i] instanceof LanguageCallback) { // Get the language from the locale LanguageCallback lc = (LanguageCallback)callbacks[i]; lc.setLocale( Locale.getDefault() ); } else { throw new UnsupportedCallbackException (callbacks[i], "Unrecognized Callback"); } } } /** Reads user password from given input stream. */ private char[] readPassword(InputStream in) { // insert code to read a user password from the // input stream } private String _userName = null; }
determined that there is at least one SASL mechanism in common between the server and your client environment
implemented javax.security.auth.callback.CallbackHandler (if you may need to supply additional credentials during authentication).
Hashtable props = new Hashtable(); props.put( "javax.security.sasl.client.pkgs", "mysecurity.sasl" ); ld.authenticate( dn, props, new SampleCallbackHandler() );
Bind to the server and authenticate using SSL.
For more information, see "Connecting to the Server Over SSL".
Call the LDAPConnection.authenticate method as follows:
ld = new LDAPConnection(); ld.authenticate(null, new String[]{"EXTERNAL"}, null, (CallbackHandler)null);
http://www.ietf.org/rfc/rfc2222.txt
http://www.isi.edu/in-notes/iana/assignments/sasl-mechanisms