[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Confused on best secuirty method...



You can get information on Cyrul SASL from their website..
http://asg2.web.cmu.edu/sasl/
There's a 'SASL Programmer's Guide' one the site, which may be useful.

For information about the protocol itself see RFC-2222

We (at GLOBUS ) are using an OpenSSL/GSI/SASL/OpenLDAP stack. You can find
more information at www.globus.org

-- Amrish


On Wed, 25 Jul 2001, Matt Witherspoon wrote:

|	I've been playing around with OpenLDAP here for the past week very 
|throughly.. however I'm still a bit confused on what would be the most secure 
|method of transmiting passwords and storing them as there seems to be lots of 
|options. More than likely, I will be having one or two machines running slapd 
|and slurpd, and then serveral other webservers making calls to these from 
|various PHP scripts. What would be the best method of securing the passwords 
|being transmitted between these LDAP servers and website server machines?
|	MD5 or SSHA is the only method that I have been able to get to work 
|correctly, and I guess that's called a 'simple bind.' While that seems 
|perfectly fine to me to store that password in the directory as a MD5 or 
|such, when logging in, isn't the MD5 or SSHA always going to be the same?? 
|Correct me if I'm wrong there, but it seems like a 'replay' problem exsists 
|still. Now I've been trying to figure out this SASL and Start TLS stuff, 
|there seems to be almost no documentation on it so I havn't got far (if any 
|one could point me to some info thanks!), but would those be any more secure 
|than using MD5 or SSHA? Would those even work in PHP?
|	I suppose one other option, would be to simply establish serveral SSH pipes 
|to the various servers and then just use the MD5 or SSHA password 
|trasmitting. This option makes the most sense to me right now as I don't 
|understand SASL or TLS, addtionally it would not be hard to get PHP to work 
|with that setup. Are there side effects to this setup that I am not seeing?
|
|	So if anyone can shed some light on what I should be aiming for I'd really 
|appricate it! Thanks again for any help.
|
|    ~Matt Witherspoon
|

_________________________________________________

Amrish Kaushik

GRA, The Globus Project (www.globus.org)
USC/Information Sciences Institute
_________________________________________________