[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Antwort: OpenLDAP exclusively on SSL [Virus checked]

OpenLDAP allows administrators to control data security services
in a number of ways.  An admin can simply say ssf=96 but not
care how it is provided.  Or the admin can require that this
SSF be provided by a particular subsystem (e.g. TLS or SASL).

Personally, I don't care much about which particular method is
used to provide the data security, just that a reasonable method
are all fine with me (assuming appropriate data security layers
have been installed).  So I have broad controls like ssf.

But you can use more narrow controls if you want to, including
restricting to the framework used (SASL or TLS), but the
particular mechanism (or cipher suite) used.  (And if the
controls available are not narrow enough for your liking,
feel free to hack.)


At 10:45 AM 3/24/2004, Quanah Gibson-Mount wrote:

>--On Wednesday, March 24, 2004 6:22 PM +0100 Tony Earnshaw <tonye@billy.demon.nl> wrote:
>>ons, 24.03.2004 kl. 16.49 skrev Quanah Gibson-Mount:
>>>> 1) What happens when a client connects over unencrypted channel, and
>>>> authorises using SASL (for instance SASL/GSSAPI). Does the whole
>>>> traffic automatically become encrypted afterwards (i.e. does this
>>>> automatically starts TLS), or not?
>>>No.  It depends on 2 things:
>>>1) The encryption strength of your K5 keys
>>>2) If the client doing the bind has turned on encryption.
>>>So you can have more or less encryption based on 1, and you can have no
>>>encryption based on 2.
>>>Because of this, Stanford uses the sasl_ssf flag in all its ACL's,
>>>forcing  encryption for all the data, so that if someone has not turned
>>>on  encryption, they cannot get data, even if they can successfully bind
>>>via  SASL/GSSAPI.
>>What do you mean by "encryption" here? Is this (let's say SSL/TLS) data
>>encryption, over the wire, or simply that data in is encrypted? If the
>>latter, what is the expense of the latter compared to SSL/TLS? Which is
>>preferable from a data security point of view?
>>O.k., this has nothing to do with Openldap software ... etc. Take it
>>that you know the umich subscribe address, I just gave it to Thomas
>Hm, actually it has to do with how OpenLDAP operates, and how clients interact with OpenLDAP, so I'd say it applies to this list. ;)
>By encryption, I mean encryption over the wire.  Just like Kerberos login sessions are encrypted over the wire, the LDAP connection between the client and OpenLDAP server is also encrypted.  You are just using a method other than SSL/TLS to do the over-the-wire encryption.  If you turned on TLS/SSL in this case, you would be encrypting over the wire twice -- A bit of an overkill, I think.
> From a security point of view, I'd say it depends on your encryption strengths and requirements. ;)
>Quanah Gibson-Mount
>Principal Software Developer
>ITSS/TSS/Computing Systems
>ITSS/TSS/Infrastructure Operations
>Stanford University
>GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html