[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Kerberos/LDAP/SASL central authentication server howto
I used a SUSE Linux box with latest openldap, sasl and heimdal kerberos against AD (e.g ./ldapsearch -H ldap://ad.test.com:389/ -b
"DC=TEST,DC=COM" -s sub "(cn=testuser)" )and I think it does negotiate the mechanism including the secuity properties and uses at the
end gss_wrap to encrypt the connection.
On Mon, 9 Aug 2004 14:38 , Tarjei Huse <firstname.lastname@example.org> sent:
>Quoting Love email@example.com>:
>> Tarjei Huse firstname.lastname@example.org> writes:
>> >> Can't I use SASL/GSSAPI instead of SSL to avoid the SSL cert
>> >> management ?
>> > Nope, GSSAPI only secures the passwordexchange while tls/ssl secures the
>> > whole transaction. So if you update another users password on a remote
>> > server only uses GSSAPI, you'll end up authenticating securely but the
>> > other users password will be transmitted in cleartext.
>> This is not true, GSSAPI provides transport security if you want it
>> too. Now, there are ldap servers allow what you describe, that is no reason
>> to use them that way.
>?? I didn't know , sorry. Please tell me more on how I can use GSSAPI instead of
>tls to secure not only authentication but everything that happens over the
>Mob: 920 63 413
Markus Moeller <email@example.com>