[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Support of Kerberos V5 safe and private messages for LDAP



Hi

I meant the same, that does Open LDAP directly or
through GSSAPI support KRB_SAFE or KRB_PRIV message 
exchange, once the Kerberos authentication has taken
place and the ldap client and ldap server share a
secret session key.

 Basically i  plan to write a client that presents a
kerberos ticket to the LDAP server and after mutual
authentication between the LDAP server and itself,
does an encrypted message exchange with the server and
thus the LDAP server ( directly or through GSSAPI )
also need to send encrypted messages to the client. 

  I feel that if encrypted message exchange between
LDAP server and LDAP client is not possible then the
kerberos (V5) authentication is not a very secure
mechanism, where the data stream between the LDAP
server and LDAP client is not secure.

Abhi
  


--- Norbert Klasen <norbert.klasen@daasi.de> wrote:
> 
> 
> --On Freitag, 1. Februar 2002 03:56 -0800 Abhinav
> Ratna 
> <abhi_ldap@yahoo.com> wrote:
> 
> > As Open LDAP supports Kerberos V5 authentication
> > mechanism, does it also support encrypted message
> > exchange between an LDAP client and LDAP server.
> The
> > Kerberos V5 RFC (RFC 1510) specifies KRB_SAFE and
> > KRB_PRIV messages for safe and private message
> > exchange respectively between client and servers
> after
> > kerberos authentication has taken place
> 
> OpenLDAP does not use Kerberos V5 directly. It uses
> the SASL GSSAPI 
> mechanism, which in turn can use Kerberos V5. By
> default, an SASL GSSAPI 
> bind in OpenLDAP will also install a security layer:
> 
> SASL/GSSAPI authentication started
> SASL SSF: 56
> SASL installing layers
> 
> 
> -- 
> Norbert Klasen, Dipl.-Inform.
> DAASI International GmbH                 phone: +49
> 7071 29 70336
> Wilhelmstr. 106                          fax:   +49
> 7071 29 5114
> 72074 Tübingen                           email:
> norbert.klasen@daasi.de
> Germany                                  web:  
> http://www.daasi.de
> 
> 


__________________________________________________
Do You Yahoo!?
Send FREE Valentine eCards with Yahoo! Greetings!
http://greetings.yahoo.com