[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Antwort: OpenLDAP exclusively on SSL [Virus checked]

To: denis.havlik@t-mobile.at
Subject: Re: Antwort: OpenLDAP exclusively on SSL [Virus checked]
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Wed, 24 Mar 2004 07:49:52 -0800
Cc: openldap list <openldap-software@OpenLDAP.org>
Content-disposition: inline
In-reply-to: <OFEB8C32D6.81E65607-ONC1256E61.0034651E-C1256E61.0036B8A2@t-mobile.at>
References: <OFEB8C32D6.81E65607-ONC1256E61.0034651E-C1256E61.0036B8A2@t-mob ile.at>

--On Wednesday, March 24, 2004 10:57 AM +0100 denis.havlik@t-mobile.at wrote:

Btw, I have a couple of related questions:

1) What happens when a client connects over unencrypted channel, and
authorises using SASL (for instance SASL/GSSAPI). Does the whole traffic
automatically become encrypted afterwards (i.e. does this automatically
starts TLS), or not?


No.  It depends on 2 things:

1) The encryption strength of your K5 keys
2) If the client doing the bind has turned on encryption.

So you can have more or less encryption based on 1, and you can have no encryption based on 2.

Because of this, Stanford uses the sasl_ssf flag in all its ACL's, forcing encryption for all the data, so that if someone has not turned on encryption, they cannot get data, even if they can successfully bind via SASL/GSSAPI.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

Follow-Ups:
- Re: Antwort: OpenLDAP exclusively on SSL [Virus checked]
  - From: Tony Earnshaw <tonye@billy.demon.nl>

References:
- Antwort: OpenLDAP exclusively on SSL [Virus checked]
  - From: denis.havlik@t-mobile.at

Prev by Date: Athenticating with LDAP (newbie question)
Next by Date: search / add operations suddenly became hopelessly slow
Index(es):
- Chronological
- Thread