<?xml version="1.0" encoding="UTF-8"?>
<!--
  ! CDDL HEADER START
  !
  ! The contents of this file are subject to the terms of the
  ! Common Development and Distribution License, Version 1.0 only
  ! (the "License").  You may not use this file except in compliance
  ! with the License.
  !
  ! You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
  ! or http://forgerock.org/license/CDDLv1.0.html.
  ! See the License for the specific language governing permissions
  ! and limitations under the License.
  !
  ! When distributing Covered Code, include this CDDL HEADER in each
  ! file and include the License file at legal-notices/CDDLv1_0.txt.
  ! If applicable, add the following below this CDDL HEADER, with the
  ! fields enclosed by brackets "[]" replaced with your own identifying
  ! information:
  !      Portions Copyright [yyyy] [name of copyright owner]
  !
  ! CDDL HEADER END
  !
  !
  !      Copyright 2007-2008 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="cram-md5-sasl-mechanism-handler"
  plural-name="cram-md5-sasl-mechanism-handlers"
  package="org.forgerock.opendj.server.config" extends="sasl-mechanism-handler"
  xmlns:adm="http://opendj.forgerock.org/admin"
  xmlns:ldap="http://opendj.forgerock.org/admin-ldap">
  <adm:synopsis>
    The CRAM-MD5 SASL mechanism provides the ability for clients to 
    perform password-based authentication in a manner that does not 
    expose their password in the clear. 
  </adm:synopsis>
  <adm:description>
    Rather than including the 
    password in the bind request, the CRAM-MD5 mechanism uses a 
    two-step process in which the client needs only to prove that it 
    knows the password. The server sends randomly-generated data to 
    the client that is to be used in the process, which makes it 
    resistant to replay attacks. The one-way message digest 
    algorithm ensures that the original clear-text password is not 
    exposed.  Note that the algorithm used by the CRAM-MD5 mechanism 
    requires that both the client and the server have access to the 
    clear-text password (or potentially a value that is derived from 
    the clear-text password). In order to authenticate to the server 
    using CRAM-MD5, the password for a user's account must be encoded 
    using a reversible password storage scheme that allows the server 
    to have access to the clear-text value. 
  </adm:description>
  <adm:profile name="ldap">
    <ldap:object-class>
      <ldap:name>ds-cfg-cram-md5-sasl-mechanism-handler</ldap:name>
      <ldap:superior>ds-cfg-sasl-mechanism-handler</ldap:superior>
    </ldap:object-class>
  </adm:profile>
  <adm:property-override name="java-class" advanced="true">
    <adm:default-behavior>
      <adm:defined>
        <adm:value>
          org.opends.server.extensions.CRAMMD5SASLMechanismHandler
        </adm:value>
      </adm:defined>
    </adm:default-behavior>
  </adm:property-override>
  <adm:property name="identity-mapper" mandatory="true">
    <adm:synopsis>
      Specifies the name of the identity mapper used
      with this SASL mechanism handler to match the authentication 
      ID included in the SASL bind request to the corresponding 
      user in the directory.
    </adm:synopsis>
    <adm:syntax>
      <adm:aggregation relation-name="identity-mapper"
        parent-path="/">
        <adm:constraint>
          <adm:synopsis>
            The referenced identity mapper must be enabled when the
            <adm:user-friendly-name />
            is enabled.
          </adm:synopsis>
          <adm:target-needs-enabling-condition>
            <adm:contains property="enabled" value="true" />
          </adm:target-needs-enabling-condition>
          <adm:target-is-enabled-condition>
            <adm:contains property="enabled" value="true" />
          </adm:target-is-enabled-condition>
        </adm:constraint>
      </adm:aggregation>
    </adm:syntax>
    <adm:profile name="ldap">
      <ldap:attribute>
        <ldap:name>ds-cfg-identity-mapper</ldap:name>
      </ldap:attribute>
    </adm:profile>
  </adm:property>
</adm:managed-object>