Re: Kerberos/LDAP/SASL central authentication server howto

[Tarjei Huse <tarjei@nu.no>]

On sřn, 2004-08-08 at 14:29, Markus Moeller wrote:
> Jose,
> 
> under "5.1.2. LDAP access" you show the nss_ldap config with:
> ssl start_tls
> tls_cacertdir /etc/ssl/certs
> 
> Can't I use SASL/GSSAPI instead of SSL to avoid the SSL cert
> management ?

Nope, GSSAPI only secures the passwordexchange while tls/ssl secures the
whole transaction. So if you update another users password on a remote
server only uses GSSAPI, you'll end up authenticating securely but the
other users password will be transmitted in cleartext.

mvh
Tarjei

> Regards
> Markus
> 
> On Tue, 03 Aug 2004 17:00 , Jose Gonzalez Gomez
> <jgonzalez@opentechnet.com> sent:
> 
>             Hi there,
>         
>             I have the first (very alpha) version of a howto regarding
>         Kerberos/LDAP/SASL integration for the creation of a central
>         authentication server available at
>         http://www.opentechnet.com/auth-howto/. I still have to change
>         a lot of things (specially the part of securing the
>         directory), but I think it's a good starting point. Comments /
>         corrections / additions are welcome.
>         
>             Best regards
>         -- 
>         
>         ______________________________________________________________
>         Jose González Gómez
>         Software Architect 
>                         +34 635 575 994
>               jgonzalez@opentechnet.com
>              http://www.opentechnet.com
> 
> -- 
> Markus Moeller <huaraz@moeller.plus.com>