[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Kerberos/LDAP/SASL central authentication server howto

To: tarjei@nu.no
Subject: Re: Kerberos/LDAP/SASL central authentication server howto
From: Love <lha@stacken.kth.se>
Date: Mon, 09 Aug 2004 10:44:26 +0200
Cc: Markus Moeller <huaraz@moeller.plus.com>, Heimdal list <heimdal-discuss@sics.se>, Jose Gonzalez Gomez <jgonzalez@opentechnet.com>
In-Reply-To: <1092037347.6155.35.camel@linux.site> (Tarjei Huse's message of"Mon, 09 Aug 2004 09:42:28 +0200")
References: <200408081229.i78CTGTN024320@brev.sics.se><1092037347.6155.35.camel@linux.site>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (berkeley-unix)

Tarjei Huse <tarjei@nu.no> writes:

>> Can't I use SASL/GSSAPI instead of SSL to avoid the SSL cert
>> management ?
>
> Nope, GSSAPI only secures the passwordexchange while tls/ssl secures the
> whole transaction. So if you update another users password on a remote
> server only uses GSSAPI, you'll end up authenticating securely but the
> other users password will be transmitted in cleartext.

This is not true, GSSAPI provides transport security if you want it
too. Now, there are ldap servers allow what you describe, that is no reason
to use them that way.

Love

PGP signature

Follow-Ups:
- Re: Kerberos/LDAP/SASL central authentication server howto
  - From: Tarjei Huse <tarjei@nu.no>

References:
- Re: Kerberos/LDAP/SASL central authentication server howto
  - From: Markus Moeller <huaraz@moeller.plus.com>
- Re: Kerberos/LDAP/SASL central authentication server howto
  - From: Tarjei Huse <tarjei@nu.no>

Prev by Date: Re: Kerberos/LDAP/SASL central authentication server howto
Next by Date: Re: Kerberos/LDAP/SASL central authentication server howto
Prev by thread: Re: Kerberos/LDAP/SASL central authentication server howto
Next by thread: Re: Kerberos/LDAP/SASL central authentication server howto
Index(es):
- Date
- Thread