Since there is such as SASL love-fest going on here, allow me to chime in with my dissenting viewpoint. SASL adds nothing but an annoying dependency to LDAP. No, I take that back, it also adds a security hole.
Challenge-response mechanisms have absolutely no advantage over straight password transmittion across an SSL/TLS encrypted line. In fact, if they run in cleartext, they have a few disadvantages: (1) No server certificate authentication. (2) If you watch challenge-response a few times, you can get a good deal of the way toward decrypting the password. Furthermore, in order to support multiple authentication mechanisms, SASL must store password essentially in cleartext (i.e. not in a hased form). That means if anyone ever gets access to your sasldb, you are hosed. Not true for an LDAP database, stores passwords in hashed form. The only advantage of a security layer is flexibility: allowing authentication via arbitrary backeds (LDAP, SQL, passwd, shadow, kerberos). While SASL makes this possible in theory, I have not had good experiences in trying to make use of this flexibility -- there is very little in the way of widely-distributed, well-tested, well-supported, drop-in code to do all this stuff. Finally, Birger, what's "really creative" about by self write by anonymous auth by * none ?
