[Date Prev][Date Next]
Re: Confused on best secuirty method...
You can get information on Cyrul SASL from their website..
There's a 'SASL Programmer's Guide' one the site, which may be useful.
For information about the protocol itself see RFC-2222
We (at GLOBUS ) are using an OpenSSL/GSI/SASL/OpenLDAP stack. You can find
more information at www.globus.org
On Wed, 25 Jul 2001, Matt Witherspoon wrote:
| I've been playing around with OpenLDAP here for the past week very
|throughly.. however I'm still a bit confused on what would be the most secure
|method of transmiting passwords and storing them as there seems to be lots of
|options. More than likely, I will be having one or two machines running slapd
|and slurpd, and then serveral other webservers making calls to these from
|various PHP scripts. What would be the best method of securing the passwords
|being transmitted between these LDAP servers and website server machines?
| MD5 or SSHA is the only method that I have been able to get to work
|correctly, and I guess that's called a 'simple bind.' While that seems
|perfectly fine to me to store that password in the directory as a MD5 or
|such, when logging in, isn't the MD5 or SSHA always going to be the same??
|Correct me if I'm wrong there, but it seems like a 'replay' problem exsists
|still. Now I've been trying to figure out this SASL and Start TLS stuff,
|there seems to be almost no documentation on it so I havn't got far (if any
|one could point me to some info thanks!), but would those be any more secure
|than using MD5 or SSHA? Would those even work in PHP?
| I suppose one other option, would be to simply establish serveral SSH pipes
|to the various servers and then just use the MD5 or SSHA password
|trasmitting. This option makes the most sense to me right now as I don't
|understand SASL or TLS, addtionally it would not be hard to get PHP to work
|with that setup. Are there side effects to this setup that I am not seeing?
| So if anyone can shed some light on what I should be aiming for I'd really
|appricate it! Thanks again for any help.
| ~Matt Witherspoon
GRA, The Globus Project (www.globus.org)
USC/Information Sciences Institute