The DIGEST-MD5 SASL mechanism is used to perform all processing related to SASL DIGEST-MD5 authentication.
The DIGEST-MD5 SASL mechanism is very similar to the CRAM-MD5 mechanism in that it allows for password-based authentication without exposing the password in the clear (although it does require that both the client and the server have access to the clear-text password). Like the CRAM-MD5 mechanism, it uses data that is randomly generated by the server to make it resistant to replay attacks, but it also includes randomly-generated data from the client, which makes it also resistant to problems resulting from weak server-side random number generation.
The Digest MD5 SASL Mechanism Handler component inherits from the SASL Mechanism Handler
A description of each property follows.
Basic Properties: | Advanced Properties: |
---|---|
↓ enabled | ↓ java-class |
↓ quality-of-protection | |
↓ realm | |
↓ server-fqdn |
Description | Indicates whether the SASL mechanism handler is enabled for use. |
Default Value | None |
Allowed Values | true false |
Multi-valued | No |
Required | Yes |
Admin Action Required | None |
Advanced Property | No |
Read-only | No |
Description | The name of a property that specifies the quality of protection the server will support. |
Default Value | none |
Allowed Values | confidentiality - Quality of protection equals authentication with integrity and confidentiality protection. integrity - Quality of protection equals authentication with integrity protection. none - QOP equals authentication only. |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced Property | No |
Read-only | No |
Description | Specifies the realms that is to be used by the server for DIGEST-MD5 authentication. If this value is not provided, then the server defaults to use the fully qualified hostname of the machine. |
Default Value | If this value is not provided, then the server defaults to use the fully qualified hostname of the machine. |
Allowed Values | Any realm string that does not contain a comma. |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced Property | No |
Read-only | No |
Description | Specifies the DNS-resolvable fully-qualified domain name for the server that is used when validating the digest-uri parameter during the authentication process. If this configuration attribute is present, then the server expects that clients use a digest-uri equal to "ldap/" followed by the value of this attribute. For example, if the attribute has a value of "directory.example.com", then the server expects clients to use a digest-uri of "ldap/directory.example.com". If no value is provided, then the server does not attempt to validate the digest-uri provided by the client and accepts any value. |
Default Value | The server attempts to determine the fully-qualified domain name dynamically. |
Allowed Values | The fully-qualified address that is expected for clients to use when connecting to the server and authenticating via DIGEST-MD5. |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced Property | No |
Read-only | No |
Description | Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation. |
Default Value | org.opends.server.extensions.DigestMD5SASLMechanismHandler |
Allowed Values | A java class that implements or extends the class(es) : org.opends.server.api.SASLMechanismHandler |
Multi-valued | No |
Required | Yes |
Admin Action Required | The Digest MD5 SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect |
Advanced Property | Yes |
Read-only | No |