SASL (Simple Authentication and Security Layer) is an Internet Standard that enables the Internet Messaging Protocols and LDAP (Lightweight Directory Access Protocol) to utilize a wide range of authentication mechanisms. This week, an updated version was approved to replace RFC 2222.
SASL is an important, but less well known, member of the Internet messaging and directory protocol family. It is generally though of as a mechanism to enable use of alternate authentication mechanisms, and is often used to achieve this. There is another feature of SASL that is also important.
Many applications, and in particular custom Web applications, use LDAP as an authentication mechanism to verify the user name and password provided by the application. Working in this way is a very sensible approach for many organizations, as it allows a simple centralized authentication mechanism. This is achieved by the application binding to the directory as the user. As LDAP binds require use of the full directory name of the user, the application will generally first make an anonymous bind to the directory and then search the directory for the user name supplied by the application in order to determine the directory name needed for the second bind that does the actual authentication.
Use of SASL in conjunction with LDAP offers a much better solution. SASL enables use of authentication with the username supplied by the application, and performs the mapping to directory name on the server side. This has an immediate and obvious advantage of avoiding an extra (insecure) directory bind and operation. It also has a big operational advantage, as the algorithm to map from username to directory name is managed in one place (on the directory server) rather than needing to be maintained in every application that works in this manner.
Using SASL in this way is currently unusual, but will become increasingly common.
Steve Kille
