[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Kerberos/LDAP/SASL central authentication server howto
Tarjei,
I used a SUSE Linux box with latest openldap, sasl and heimdal kerberos against AD (e.g ./ldapsearch -H ldap://ad.test.com:389/ -b
"DC=TEST,DC=COM" -s sub "(cn=testuser)" )and I think it does negotiate the mechanism including the secuity properties and uses at the
end gss_wrap to encrypt the connection.
Regards
Markus
On Mon, 9 Aug 2004 14:38 , Tarjei Huse <tarjei@nu.no> sent:
>Quoting Love lha@stacken.kth.se>:
>
>>
>> Tarjei Huse tarjei@nu.no> writes:
>>
>> >> Can't I use SASL/GSSAPI instead of SSL to avoid the SSL cert
>> >> management ?
>> >
>> > Nope, GSSAPI only secures the passwordexchange while tls/ssl secures the
>> > whole transaction. So if you update another users password on a remote
>> > server only uses GSSAPI, you'll end up authenticating securely but the
>> > other users password will be transmitted in cleartext.
>>
>> This is not true, GSSAPI provides transport security if you want it
>> too. Now, there are ldap servers allow what you describe, that is no reason
>> to use them that way.
>
>?? I didn't know , sorry. Please tell me more on how I can use GSSAPI instead of
>tls to secure not only authentication but everything that happens over the
>wire.
>
>Tarjei
>
>>
>> Love
>>
>>
>
>
>Mob: 920 63 413
>
--
Markus Moeller <huaraz@moeller.plus.com>