[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Kerberos/LDAP/SASL central authentication server howto

Tarjei Huse <tarjei@nu.no> writes:

>> Can't I use SASL/GSSAPI instead of SSL to avoid the SSL cert
>> management ?
> Nope, GSSAPI only secures the passwordexchange while tls/ssl secures the
> whole transaction. So if you update another users password on a remote
> server only uses GSSAPI, you'll end up authenticating securely but the
> other users password will be transmitted in cleartext.

This is not true, GSSAPI provides transport security if you want it
too. Now, there are ldap servers allow what you describe, that is no reason
to use them that way.


PGP signature