Overview#Simple Authentication and Security Layer (SASL) is a framework for Authentication and data security in Internet protocols. SASL allows authentication mechanisms to be decoupled from application protocols, in theory allowing any authentication mechanism supported by SASL to be used in any application protocol that uses SASL.
Authentication mechanisms may also support proxy authorization, a facility allowing one user to assume the identity of another. They may also provide a data security layer offering data integrity and data confidentiality services. DIGEST-MD5 provides an example of mechanisms which can provide a data-security layer.
The original SASL specification RFC 2222 while at Carnegie Mellon University. In 2006 that document was made obsolete by RFC 4422, but a number of specific SASL mechanisms are described in other specifications. 
As SASL Mechanisms are External to the Protocol, they maybe referred to as EXTERNAL SASL Mechanism even though the SASL Mechanism may reside on and be done on by the same server.
Protocols that contain SASL support include:
- LDAP (Internet Standard Lightweight Directory Access Protocol)
- SMTP (Internet Standard Simple Message Transfer Protocol)
- POP3 (Internet Standard Post Office Protocol v3)
- IMAP (Internet Standard Internet Mail Access Protocol)
- XMPP: Extensible Messaging and Presence Protocol
- Isode's SOM (Switch Operations and Management) Protocol
To be used with SASL, a new authentication mechanism needs to be registered, and any authentication mechanism specific capabilities need to be agreed upon.
Some selected SASL authentication mechanisms are listed below:
|Mechanism||Standardization||What it Does|
|CRAM-MD5||RFC 2195||Use MD5 hash for client authentication|
|DIGEST-MD5||RFC 2831||Adds server authentication and confidentiality to CRAM-MD5|
|GSSAPI||RFC 4752||For supporting Kerberos authentication|
|EXTERNAL||RFC 4422||For use with SSL/TLS and X.509 Digital Signatures|
|PLAIN||RFC 4616||Clear text password|
|LOGIN||de facto||Alternative to PLAIN|
|NTLM||Microsoft Propriatary||Similar to CRAM-MD5|
|SCRAM-SHA-1||RFC 5802||Salted Challenge Response Mechanism, a new standard|
LDAP and SASL#For LDAP, common EXTERNAL SASL Mechanisms include:
- ANONYMOUS -- This mechanism doesn't actually authenticate users to the server, but can be used to destroy a previous authentication session.
- CRAM-MD5 -- This mechanism provides a way for users to authenticate to the server using a password in a manner that does not expose the password itself. It is similar to, but weaker than, the DIGEST-MD5 SASL mechanism, and doesn't provide any way for ensuring connection integrity or confidentiality.
- DIGEST-MD5 -- This mechanism provides a way for users to authenticate to the server using a password in a manner that does not expose the password itself. It is similar to, but stronger than, the CRAM-MD5 SASL mechanism, and also provides a way to ensure connection integrity and/or confidentiality.
- GSSAPI -- This mechanism provides a way for users to authenticate to the server using a Kerberos V5 session. It also provides a mechanism that can be used to ensure connection integrity and/or confidentiality.
- PLAIN -- This mechanism provides a way for users to authenticate to the server with a username and password. It is similar to the protection offered by Simple Authentication, but may be more convenient in that users can identify themselves with a username rather than a DN.
- NMAS_LOGIN -- Novell Modular Authentication Service (NMAS) is a development framework that allows you to write applications that authenticate to the network using various login and authentication methods. The NMAS framework allows you to design a flexible and expandable login and authentication system using modular plug-in methods that leverage Novell International Cryptographic Infrastructure (NICI) and Novell Directory Services (eDirectory®).
- GSS-SPNEGO - aka SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) is a GSSAPI "pseudo mechanism" that is used to negotiate one of a number of possible real mechanisms.
More Information#There might be more information for this subject on one of the following:
- Authentication Methodologies
- Best Practices for LDAP Security
- Bind Request
- Bind Response
- Custom Password Self Service How
- Digest SSP
- Glossary Of LDAP And Directory Terminology
- Kurt Zeilenga
- LDAP Authentication
- Quality of Protection
- SASL Mechanisms
[#1] Adapted from http://www.isode.com/products/sasl.html retrieved 2012-09-28 [#2] Adapted from http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer retrieved 2012-09-28