[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Antwort: OpenLDAP exclusively on SSL [Virus checked]

--On Wednesday, March 24, 2004 10:57 AM +0100 denis.havlik@t-mobile.at wrote:

Btw, I have a couple of related questions:

1) What happens when a client connects over unencrypted channel, and
authorises using SASL (for instance SASL/GSSAPI). Does the whole traffic
automatically become encrypted afterwards (i.e. does this automatically
starts TLS), or not?

No. It depends on 2 things:

1) The encryption strength of your K5 keys
2) If the client doing the bind has turned on encryption.

So you can have more or less encryption based on 1, and you can have no encryption based on 2.

Because of this, Stanford uses the sasl_ssf flag in all its ACL's, forcing encryption for all the data, so that if someone has not turned on encryption, they cannot get data, even if they can successfully bind via SASL/GSSAPI.


Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html