[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: what is simple bind?

To: Hans Zauner <refuzun@yahoo.com>
Subject: Re: what is simple bind?
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Tue, 31 Oct 2000 14:47:44 -0800
Cc: openldap-software@OpenLDAP.org, openldap-software@OpenLDAP.org
In-reply-to: <20001031221057.97428.qmail@web9302.mail.yahoo.com>

At 02:10 PM 10/31/00 -0800, Hans Zauner wrote:
>so when using simple bind, there is no protection
>whatsoever?

Exactly.

>it asks for a password, which it checks against whats
>in the slapd.conf, correct?

The client obtains the password from the user and sends
this to server and the server verifies it. Unless there
is some other layer providing protection (e.g. TLS or
IPSEC), the password is transferred in the clear.

>if I wanted to use SASL what would I need to do?

SASL is a framework which support many different
authentication (and security service) mechanisms.
There a zillion ways of using it and not yet good
documentation as to how (at least not specific to
OpenLDAP).  There are hints provided in archives.

>it would add encryption to traversing data?

Depends on the mechanism.  The recommended mechanisms
(GSSAPI, DIGEST-MD5, and EXTERNAL w/ TLS) offers strong
authentication as well as integrity and confidentiality
protection.

>SASL is not related to password checking?

Some SASL mechanisms are password based.  Some offer
no significant benefit over simple bind (such as PLAIN)
and hence are not recommended.  DIGEST-MD5 is the
password based and offers a number of advantages over
simple bind.

I personally favor use of Kerberos V-based GSSAPI.

References:
- Re: what is simple bind?
  - From: Hans Zauner <refuzun@yahoo.com>

Prev by Date: Re: Strange Pam-Ldap authentication issue
Index(es):
- Chronological
- Thread