NAME¶
Authen::SASL::Perl -- Perl implementation of the SASL Authentication framework
SYNOPSIS¶
use Authen::SASL qw(Perl);
$sasl = Authen::SASL->new(
mechanism => 'CRAM-MD5 PLAIN ANONYMOUS',
callback => {
user => $user,
pass => \&fetch_password
}
);
DESCRIPTION¶
Authen::SASL::Perl is the pure Perl implementation of SASL mechanisms in
the
Authen::SASL framework.
At the time of this writing it provides the client part implementation for the
following SASL mechanisms:
- ANONYMOUS
- The Anonymous SASL Mechanism as defined in RFC 2245 resp. in IETF Draft
draft-ietf-sasl-anon-03.txt from February 2004 provides a method to
anonymously access internet services.
Since it does no authentication it does not need to send any confidential
information such as passwords in plain text over the network.
- CRAM-MD5
- The CRAM-MD5 SASL Mechanism as defined in RFC2195 resp. in IETF Draft
draft-ietf-sasl-crammd5-XX.txt offers a simple challenge-response
authentication mechanism.
Since it is a challenge-response authentication mechanism no passwords are
transferred in clear-text over the wire.
Due to the simplicity of the protocol CRAM-MD5 is susceptible to replay and
dictionary attacks, so DIGEST-MD5 should be used in preferrence.
- DIGEST-MD5
- The DIGEST-MD5 SASL Mechanism as defined in RFC 2831 resp. in IETF Draft
draft-ietf-sasl-rfc2831bis-XX.txt offers the HTTP Digest Access
Authentication as SASL mechanism.
Like CRAM-MD5 it is a challenge-response authentication method that does not
send plain text passwords over the network.
Compared to CRAM-MD5, DIGEST-MD5 prevents chosen plaintext attacks, and
permits the use of third party authentication servers, so that it is
recommended to use DIGEST-MD5 instead of CRAM-MD5 when possible.
- EXTERNAL
- The EXTERNAL SASL mechanism as defined in RFC 2222 allows the use of
external authentication systems as SASL mechanisms.
- GSSAPI
- The GSSAPI SASL mechanism as defined in RFC 2222 resp. IETF Draft
draft-ietf-sasl-gssapi-XX.txt allows using the Generic Security Service
Application Program Interface [GSSAPI] KERBEROS V5 as as SASL mechanism.
Although GSSAPI is a general mechanism for authentication it is almost
exlusively used for Kerberos 5.
- LOGIN
- The LOGIN SASL Mechanism as defined in IETF Draft
draft-murchison-sasl-login-XX.txt allows the combination of username and
clear-text password to be used in a SASL mechanism.
It does does not provide a security layer and sends the credentials in clear
over the wire. Thus this mechanism should not be used without adequate
security protection.
- PLAIN
- The Plain SASL Mechanism as defined in RFC 2595 resp. IETF Draft
draft-ietf-sasl-plain-XX.txt is another SASL mechanism that allows
username and clear-text password combinations in SASL environments.
Like LOGIN it sends the credentials in clear over the network and should not
be used without sufficient security protection.
As for server support, only
PLAIN,
LOGIN and
DIGEST-MD5 are
supported at the time of this writing.
"server_new" OPTIONS is a hashref that is only relevant for
DIGEST-MD5 for now and it supports the following options:
- - no_integrity
- - no_confidentiality
which configures how the security layers are negotiated with the client (or
rather imposed to the client).
SEE ALSO¶
Authen::SASL, Authen::SASL::Perl::ANONYMOUS, Authen::SASL::Perl::CRAM_MD5,
Authen::SASL::Perl::DIGEST_MD5, Authen::SASL::Perl::EXTERNAL,
Authen::SASL::Perl::GSSAPI, Authen::SASL::Perl::LOGIN,
Authen::SASL::Perl::PLAIN
AUTHOR¶
Peter Marschall <peter@adpm.de>
Please report any bugs, or post any suggestions, to the perl-ldap mailing list
<perl-ldap@perl.org>
COPYRIGHT¶
Copyright (c) 2004-2006 Peter Marschall. All rights reserved. This document is
distributed, and may be redistributed, under the same terms as Perl
itself.