[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Basic Steps to get SASL working?


just read this thread and i'm wondering about what i did
until now.

Howard, did you read Turbos article "LDAPv3-HOWTO.html"
on his site www.bayour.com ?

Are there other things, you can tell us about 
SASL cause there's not too much documentation
on the net ?

If i understood you right, i dont't have to compile 
openldap with the options 
if i ONLY want to use SASL as passwd mechanism ?

greetings Harry

Howard Chu wrote:
> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Turbo
> > Fredriksson
> > >>>>> "Howard" == Howard Chu <hyc@highlandsun.com> writes:
> >
> >     Howard> Further on the kpasswd subject - that only supports
> >     Howard> Kerberos 4, which has several known vulnerabilities of its
> >     Howard> own. Nobody should be using this, period.
> My mistake, the current code will also support Kerberos 5.
> > I thought this was to be able to use the '{KERBEROS}' entry... ?
> Yes, but this '{KERBEROS}' scheme is only used to verify a plaintext
> password received from a client. *All* of the password schemes are used
> simply to verify a plaintext password received from a client. They are only
> used when a client performs an LDAP Simple Bind, there is no privacy
> protection for this operation.
> As such, if you use this, you have just given away your "secure" Kerberos
> password to anyone who cares to sniff your network.
> If you are going to use SASL, use SASL Bind, not Simple Bind. If you are
> going to use Kerberos, use SASL/GSSAPI, not Simple Bind. If you are plugging
> into *any* "secure" authentication system, don't use Simple Bind, otherwise
> you are just compromising *all* of the security of that other system.
> If all you need is a plaintext Simple Bind, then save yourself the trouble
> and *don't* configure SASL, Kerberos, or any other security mechanisms. Yes
> all of them can coexist but it's just not logical to do so.
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director, Highland Sun
>   http://www.symas.com               http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support