[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Basic Steps to get SASL working?

To: "OpenLDAP-software@OpenLDAP.org" <OpenLDAP-software@OpenLDAP.org>
Subject: Re: Basic Steps to get SASL working?
From: Harry Rüter <harry_rueter@gmx.de>
Date: Sat, 01 Jun 2002 00:22:23 +0200
References: <NMEFLNHODBAOPDKNNJALMECHCPAA.hyc@highlandsun.com>

Hi,

just read this thread and i'm wondering about what i did
until now.

Howard, did you read Turbos article "LDAPv3-HOWTO.html"
on his site www.bayour.com ?

Are there other things, you can tell us about 
SASL cause there's not too much documentation
on the net ?

If i understood you right, i dont't have to compile 
openldap with the options 
--with-spasswd
--with-kpasswd
if i ONLY want to use SASL as passwd mechanism ?


greetings Harry

Howard Chu wrote:
> 
> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Turbo
> > Fredriksson
> 
> > >>>>> "Howard" == Howard Chu <hyc@highlandsun.com> writes:
> >
> >     Howard> Further on the kpasswd subject - that only supports
> >     Howard> Kerberos 4, which has several known vulnerabilities of its
> >     Howard> own. Nobody should be using this, period.
> 
> My mistake, the current code will also support Kerberos 5.
> 
> > I thought this was to be able to use the '{KERBEROS}' entry... ?
> 
> Yes, but this '{KERBEROS}' scheme is only used to verify a plaintext
> password received from a client. *All* of the password schemes are used
> simply to verify a plaintext password received from a client. They are only
> used when a client performs an LDAP Simple Bind, there is no privacy
> protection for this operation.
> As such, if you use this, you have just given away your "secure" Kerberos
> password to anyone who cares to sniff your network.
> 
> If you are going to use SASL, use SASL Bind, not Simple Bind. If you are
> going to use Kerberos, use SASL/GSSAPI, not Simple Bind. If you are plugging
> into *any* "secure" authentication system, don't use Simple Bind, otherwise
> you are just compromising *all* of the security of that other system.
> 
> If all you need is a plaintext Simple Bind, then save yourself the trouble
> and *don't* configure SASL, Kerberos, or any other security mechanisms. Yes
> all of them can coexist but it's just not logical to do so.
> 
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director, Highland Sun
>   http://www.symas.com               http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support

References:
- RE: Basic Steps to get SASL working?
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: Re: ldapadd
Index(es):
- Chronological
- Thread