[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Syncrepl with Kerberos support

--On Monday, January 11, 2010 8:33 PM +0100 Jaap Winius <jwinius@umrk.nl> wrote:

Quoting Jaap Winius <jwinius@umrk.nl>:

Although I know how to configure syncrepl with the "simple" bindmethod,
using a clear-text password exchange and clear-text database
replication, and I know how to setup an provider server with MIT
Kerberos V encryption support, can anyone explain how to configure a
consumer so that syncrepl also uses Kerberos?

Okay, I'll answer this one myself.

Before I begin, let me say that, in this case, Kerberos only offers
encrypted authentication and not data encryption for the OpenLDAP
replication phase; for that it is necessary to set up a Certificate
Authority and use TLS (LDAP over SSL, slapd on port 636).

You're wrong. Using SASL/GSSAPI fully encrypts the entire session if you tell it to, which is the default for most applications, including OpenLDAP. The only client I've ever seen that doesn't use encryption by default is Sun's JNDI stuff.



Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
Zimbra ::  the leader in open source messaging and collaboration