<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] is a [SASL] [Authentication Method] that provides a way for users to [authenticate] to the server using a password in a manner that does not expose the password itself. 

[{$pagename}] is similar to, but weaker than the [DIGEST-MD5] [SASL Mechanism] and doesn't provide any way for ensuring connection [integrity] or [confidentiality].

The CRAM-MD5 [SASL Mechanism] that provides a way for clients to [Authentication] to the Directory Server with a username and [Password] in a manner that does not expose the clear-text password, so it is significantly safer than [Simple Authentication] or the [PLAIN SASL Mechanism] when the connection between the client and the server is not secure.

The [{$pagename}] is described in the [RFC 2195].  The process is as follows:

*The client sends an [LDAP Message] to the server with a bind request [protocol op|Definition -- Protocol Op] type using an authentication type of [SASL] with a mechanism name of &quot;CRAM-MD5&quot; and no credentials.
* The server sends a bind response message back to the client with a [LDAP Result Code] of 14 (SASL bind in progress) and a server [SASL] credentials element including randomly-generated data (the challenge).
* The client responds with a second [SASL] bind request message to the server with a mechanism name of &quot;CRAM-M5&quot;, and this time provides SASL credentials containing the [Authentication ID] used to identify the user and an [MD5] digest that is computed by combining the server-provided challenge with the clear-text password.
* The server uses the authentication ID to identify the user, and then retrieves the clear-text password for that user (if the clear-text password cannot be obtained, then authentication will fail) and uses it to determine whether the provided digest is valid.  The server will then send an appropriate response to the client (usually with a result of either &quot;success&quot; or &quot;invalid credentials&quot;) indicating whether the authentication was successful.

The [{$pagename}] is very similar to [DIGEST-MD5] [SASL Mechanism], but it is somewhat weaker because CRAM-MD5 only includes random data from the server whereas DIGEST-MD5 includes random data from both the client and the server.  DIGEST-MD5 also provides a provision for ensuring connection integrity and/or confidentiality, which CRAM-MD5 does not offer.

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]

</pre>