<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[Simple Authentication and Security Layer] (SASL) is a [framework] for [Authentication] and [data] [Security Layer] that can provide [data] [integrity], [data] [confidentiality], and other services for [Internet Protocols][{$pagename}] allows [Authentication Method] to be decoupled from [application] [protocols], in theory allowing any [Authentication Method] supported by [{$pagename}] to be used in any application protocol that uses [{$pagename}].

[Authentication Methods] may also support [Delegation]. They may also provide a [data] [Security Layer] offering data [integrity] and [data] [confidentiality] services. [DIGEST-MD5] provides an [example] of mechanisms which can provide a data [Security Layer]. 

The original [{$pagename}] specification [RFC 2222] while at Carnegie Mellon University. In [2006|Year 2006] that document was made obsolete by [RFC 4422], but a number of specific [SASL Mechanisms] are described in other specifications. [2]

As [{$pagename}] Mechanisms are External to the Protocol, they may be referred to as EXTERNAL SASL Mechanism even though the SASL Mechanism may reside on and be done on by the same server.

!! Generic Operation [1]
The basic operation of SASL is straightforward. The server provides a list of supported authentication mechanisms, and then the client determines which of the supported authentication mechanisms will be used (based on the client’s capabilities and security requirements.

Protocols that contain SASL support include:
* [LDAP] (Internet Standard Lightweight Directory Access Protocol)
* [SMTP] (Internet Standard Simple Message Transfer Protocol)
* [POP3] (Internet Standard Post Office Protocol v3)
* [IMAP] (Internet Standard Internet Mail Access Protocol)
* [XMPP]: Extensible Messaging and Presence Protocol
* Isode's SOM (Switch Operations and Management) Protocol

To be used with [{$pagename}], a new authentication mechanism needs to be registered, and any authentication mechanism specific capabilities need to be agreed upon. 

Some selected SASL authentication mechanisms are listed below:
||[Mechanism|SASL Mechanisms]||Standardization||What it Does
|[CRAM-MD5]|[RFC 2195]|Use [MD5] [hash] for client [authentication]
|[DIGEST-MD5]|[RFC 2831]|Adds [server] [authentication] and [confidentiality] to [CRAM-MD5]
|[GSSAPI]|[RFC 4752]|For supporting [Kerberos] [authentication]
|[EXTERNAL|SASL EXTERNAL]|[RFC 4422]|For use with [SSL]/[TLS] and [X.509] [Digital Signatures]
|[PLAIN|PLAIN SASL Mechanism]|[RFC 4616]|[Plaintext] [password]
|LOGIN|de facto|Alternative to [PLAIN SASL Mechanism]
|[NTLM]|Microsoft Proprietary|Similar to [CRAM-MD5]
|[SCRAM-SHA-1]|[RFC 5802]|Salted Challenge Response Mechanism, a new standard
|[NMAS_LOGIN]| |used in [NovellS Challenge Response System]. 

!! [LDAP] and [{$pagename}]
For [LDAP], common EXTERNAL [SASL Mechanisms] include:
* [ANONYMOUS SASL Mechanism] -- This mechanism doesn't actually authenticate users to the server, but can be used to destroy a previous authentication session.
* [CRAM-MD5|CRAM-MD5 SASL Mechanism|CRAM MD5 SASL Mechanism] -- This mechanism provides a way for users to authenticate to the server using a password in a manner that does not expose the password itself.  It is similar to, but weaker than, the DIGEST-MD5 SASL mechanism, and doesn't provide any way for ensuring connection integrity or confidentiality.
* [DIGEST-MD5|DIGEST-MD5] -- This mechanism provides a way for users to authenticate to the server using a password in a manner that does not expose the password itself.  It is similar to, but stronger than, the CRAM-MD5 SASL mechanism, and also provides a way to ensure connection integrity and/or confidentiality.
* [GSSAPI] -- This mechanism provides a way for users to authenticate to the server using a Kerberos V5 session.  It also provides a mechanism that can be used to ensure connection integrity and/or confidentiality.
* [PLAIN|PLAIN SASL Mechanism] -- This mechanism provides a way for users to authenticate to the server with a username and password.  It is similar to the protection offered by [Simple Authentication], but may be more convenient in that users can identify themselves with a username rather than a [DN].
* [NMAS_LOGIN] -- Novell Modular Authentication Service (NMAS) is a development framework that allows you to write applications that authenticate to the network using various login and authentication methods. The NMAS framework allows you to design a flexible and expandable login and authentication system using modular plug-in methods that leverage Novell International Cryptographic Infrastructure [NICI] and Novell Directory Services ([eDirectory]®).
* [SPNEGO] - aka GSS-SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) is a [GSSAPI] &quot;pseudo mechanism&quot; that is used to negotiate one of a number of possible real mechanisms. 

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]

----
[#1] Adapted from [http://www.isode.com/products/sasl.html] retrieved 2012-09-28
[#2] Adapted from [http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer] retrieved 2012-09-28
</pre>