Internet Direct (Indy)
Home
PreviousUpNext
TIdSASLPlain Class

Implements the PLAIN SASL authentication mechanism.

Pascal
TIdSASLPlain = class(TIdSASLUserPass);

TIdSASLPlain is a TIdSASLUserPass descendant that implements the PLAIN SASL Mechanism, as described in the Internet Standards documents: 

RFC 2595 - Using TLS with IMAP, POP3 and ACAP  

RFC 2222 - Simple Authentication and Security Layer (SASL)  

SASL authentication mechanism names must be registered with the IANA. The current list of registered SASL authentication mechanisms is located at: 

IANA Official Simple Authentication and Security Layer Mechanisms  

The PLAIN SASL authentication mechanism provides simple password authentication for systems where authentication is not tightly bound to the privacy layer for the authentication infrastructure. 

PLAIN SASL is normally used in conjunction with TLS (Transport Layer Security) to eliminated transmission of clear-text passwords over unencrypted channels. 

Clients and servers which implement PLAIN SASL must be configurable to refuse all clear-text login commands or mechanisms (including both standards-track and nonstandard mechanisms) unless an encryption layer of adequate strength is active. Servers which allow unencrypted clear-text logins should be configurable to refuse clear-text logins both for the entire server, and on a per-user basis. 

Use of PLAIN SASL assumes that a TLS negotiation between the client and server has been successfully completed prior to using the properties or methods in the authentication mechanism. PLAIN SASL authentication eliminates the need to exchange clear-text passwords by relying on the security provided by the encrypted TLS network connection. 

The PLAIN SASL authentication mechanism consists of a single message from the client to the server, including the following: 

  • authorization identity (optional identity to login as)
  • US-ASCII NUL character
  • authentication identity (identity whose password will be used)
  • US-ASCII NUL character
  • clear-text password (for the authentication identity)
 

The client may use a blank authorization identity to indicate that it is the same as the authentication identity. 

Servers supporting the PLAIN SASL authentication mechanism will verify the authentication identity and password with the system authentication database, and verify that the authentication credentials (password) permit the client to login as the authorization identity. If both steps succeed, the user is successfully logged in. 

Non-US-ASCII characters are permitted in values used for the authorization identity, authentication identity, or password as long as they are represented in UTF-8 form. Use of non-visible characters or characters which a user may be unable to enter on some keyboards is discouraged. The following table represents the UTF-8 character ranges allowed in the values: 

 

(Hex) 
01-09 
0B-0C 
0E-7F 
C0-DF 
E0-EF 
F0-F7 
F8-FB 
FC-FD 

 

TIdSASLPlain extends the ancestor class by implementing the ServiceName and StartAuthenticate methods from TIdSASL, and the LoginAs property that represents the authorization identity for the PLAIN SASL mechanism. 

TIdSASLPlain utilizes the TIdUserPassProvider to acquire username and passwords used in SAL authentication mechanisms.

Internet Direct (Indy) version 10.1.5
Copyright © 1993-2006, Chad Z. Hower (aka Kudzu) and the Indy Pit Crew. All rights reserved.
Website http://www.indyproject.org.
Post feedback to the Indy Documentation newsgroup.