Different SASL mechanisms have different requirements on the application using it. To handle these differences the library can use a callback function into your application in several different ways. Some mechanisms, such as ‘PLAIN’, are simple to explain and use. The client callback queries the user for a username and password. The server callback hands the username and password into any local policy deciding authentication system (such as /etc/passwd via PAM).
Mechanism such as ‘CRAM-MD5’ and ‘SCRAM-SHA-1’ uses hashed passwords. The client callback behaviour is the same as for PLAIN. However, the server does not receive the plain text password over the network but rather a hash of it. Existing policy deciding systems like PAM cannot handle this, so the server callback for these mechanisms are more complicated.
Further, mechanisms like GSSAPI/GS2-KRB5 (Kerberos 5) assume a specific authentication system. In theory this means that the SASL library would not need to interact with the application, but rather call this specific authentication system directly. However, some callbacks are supported anyway, to modify the behaviour of how the specific authentication system is used (i.e., to handle “super-user” login as some other user).
Some mechanisms, like ‘EXTERNAL’ and ‘ANONYMOUS’ are entirely dependent on callbacks.
|• EXTERNAL:||Authentication via out of band information.|
|• ANONYMOUS:||Mechanism for anonymous access to resources.|
|• PLAIN:||Clear text username and password.|
|• LOGIN:||Non-standard clear text username and password.|
|• CRAM-MD5:||Challenge-Response Authentication Mechanism.|
|• DIGEST-MD5:||Digest Authentication.|
|• SCRAM-SHA-1:||SCRAM-SHA-1 authentication.|
|• NTLM:||Microsoft NTLM authentication.|
|• SECURID:||Authentication using tokens.|
|• GSSAPI:||GSSAPI (Kerberos 5) authentication.|
|• GS2-KRB5:||Improved GSSAPI (Kerberos 5) authentication.|
|• SAML20:||Authenticate using SAML 2.0 via a browser.|
|• OPENID20:||Authenticate using OpenID 2.0 via a browser.|
|• KERBEROS_V5:||Experimental KERBEROS_V5 authentication.|