[Date Prev][Date Next]
Re: Antwort: OpenLDAP exclusively on SSL [Virus checked]
--On Wednesday, March 24, 2004 10:57 AM +0100 firstname.lastname@example.org
Btw, I have a couple of related questions:
1) What happens when a client connects over unencrypted channel, and
authorises using SASL (for instance SASL/GSSAPI). Does the whole traffic
automatically become encrypted afterwards (i.e. does this automatically
starts TLS), or not?
No. It depends on 2 things:
1) The encryption strength of your K5 keys
2) If the client doing the bind has turned on encryption.
So you can have more or less encryption based on 1, and you can have no
encryption based on 2.
Because of this, Stanford uses the sasl_ssf flag in all its ACL's, forcing
encryption for all the data, so that if someone has not turned on
encryption, they cannot get data, even if they can successfully bind via
Principal Software Developer
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html