Overview#CRAM-MD5 SASL Mechanism is a SASL Authentication Method that provides a way for users to authenticate to the server using a password in a manner that does not expose the password itself.
The CRAM-MD5 SASL Mechanism that provides a way for clients to Authentication to the Directory Server with a username and Password in a manner that does not expose the clear-text password, so it is significantly safer than Simple Authentication or the PLAIN SASL Mechanism when the connection between the client and the server is not secure.
The CRAM-MD5 SASL Mechanism is described in the RFC 2195. The process is as follows:
- The client sends an LDAP Message to the server with a bind request protocol op type using an authentication type of SASL with a mechanism name of "CRAM-MD5" and no credentials.
- The server sends a bind response message back to the client with a LDAP Result Code of 14 (SASL bind in progress) and a server SASL credentials element including randomly-generated data (the challenge).
- The client responds with a second SASL bind request message to the server with a mechanism name of "CRAM-M5", and this time provides SASL credentials containing the Authentication ID used to identify the user and an MD5 digest that is computed by combining the server-provided challenge with the clear-text password.
- The server uses the authentication ID to identify the user, and then retrieves the clear-text password for that user (if the clear-text password cannot be obtained, then authentication will fail) and uses it to determine whether the provided digest is valid. The server will then send an appropriate response to the client (usually with a result of either "success" or "invalid credentials") indicating whether the authentication was successful.
The CRAM-MD5 SASL Mechanism is very similar to DIGEST-MD5 SASL Mechanism, but it is somewhat weaker because CRAM-MD5 only includes random data from the server whereas DIGEST-MD5 includes random data from both the client and the server. DIGEST-MD5 also provides a provision for ensuring connection integrity and/or confidentiality, which CRAM-MD5 does not offer.