[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Basic Steps to get SASL working?

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Turbo
> Fredriksson

> >>>>> "Howard" == Howard Chu <hyc@highlandsun.com> writes:
>     Howard> Further on the kpasswd subject - that only supports
>     Howard> Kerberos 4, which has several known vulnerabilities of its
>     Howard> own. Nobody should be using this, period.

My mistake, the current code will also support Kerberos 5.

> I thought this was to be able to use the '{KERBEROS}' entry... ?

Yes, but this '{KERBEROS}' scheme is only used to verify a plaintext
password received from a client. *All* of the password schemes are used
simply to verify a plaintext password received from a client. They are only
used when a client performs an LDAP Simple Bind, there is no privacy
protection for this operation.
As such, if you use this, you have just given away your "secure" Kerberos
password to anyone who cares to sniff your network.

If you are going to use SASL, use SASL Bind, not Simple Bind. If you are
going to use Kerberos, use SASL/GSSAPI, not Simple Bind. If you are plugging
into *any* "secure" authentication system, don't use Simple Bind, otherwise
you are just compromising *all* of the security of that other system.

If all you need is a plaintext Simple Bind, then save yourself the trouble
and *don't* configure SASL, Kerberos, or any other security mechanisms. Yes
all of them can coexist but it's just not logical to do so.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support