[Date Prev][Date Next]
Re: Antwort: OpenLDAP exclusively on SSL [Virus checked]
--On Wednesday, March 24, 2004 6:22 PM +0100 Tony Earnshaw
ons, 24.03.2004 kl. 16.49 skrev Quanah Gibson-Mount:
> 1) What happens when a client connects over unencrypted channel, and
> authorises using SASL (for instance SASL/GSSAPI). Does the whole
> traffic automatically become encrypted afterwards (i.e. does this
> automatically starts TLS), or not?
No. It depends on 2 things:
1) The encryption strength of your K5 keys
2) If the client doing the bind has turned on encryption.
So you can have more or less encryption based on 1, and you can have no
encryption based on 2.
Because of this, Stanford uses the sasl_ssf flag in all its ACL's,
forcing encryption for all the data, so that if someone has not turned
on encryption, they cannot get data, even if they can successfully bind
What do you mean by "encryption" here? Is this (let's say SSL/TLS) data
encryption, over the wire, or simply that data in is encrypted? If the
latter, what is the expense of the latter compared to SSL/TLS? Which is
preferable from a data security point of view?
O.k., this has nothing to do with Openldap software ... etc. Take it
that you know the umich subscribe address, I just gave it to Thomas
Hm, actually it has to do with how OpenLDAP operates, and how clients
interact with OpenLDAP, so I'd say it applies to this list. ;)
By encryption, I mean encryption over the wire. Just like Kerberos login
sessions are encrypted over the wire, the LDAP connection between the
client and OpenLDAP server is also encrypted. You are just using a method
other than SSL/TLS to do the over-the-wire encryption. If you turned on
TLS/SSL in this case, you would be encrypting over the wire twice -- A bit
of an overkill, I think.
From a security point of view, I'd say it depends on your encryption
strengths and requirements. ;)
Principal Software Developer
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html