[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Kerberos/LDAP/SASL central authentication server howto
I think you are right, SASL only protects the authentication exchange. I found also that cysus-sasl hard codes SSF 56 for GSSAPI.
On Tue, 10 Aug 2004 12:47 , Nikola Milutinovic <Nikola.Milutinovic@ev.co.yu> sent:
>Markus Moeller wrote:
>> If you look athe the slapd.conf help you find:
>This is all fine, but it still refers to AUTHENTICATION protection. It
>states nothing on the protection of data being transported AFTER the
>authentication has been performed. And to my knowledge, only SSL/TLS
>offer transport encryption
>> I tried to use the -O minssf=128 with ldapsearch against AD, but get a failure although I use the latest heimdal library which
>> rc4-hmac. I can see that I have an arcfour-hmac-md5 ticket for the ldap/server principal and would assume that rc4-hmace allows the
>> higher encryption.
>Perhaps MS ADS doesn't support anything that strong. It should support
>GSS-API, which is at SSF:56.
Markus Moeller <email@example.com>