[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Syncrepl with Kerberos support

Quoting Quanah Gibson-Mount <quanah@zimbra.com>:

Before I begin, let me say that, in this case, Kerberos only offers
encrypted authentication and not data encryption for the OpenLDAP
replication phase; for that it is necessary to set up a Certificate
Authority and use TLS (LDAP over SSL, slapd on port 636).

You're wrong.  Using SASL/GSSAPI fully encrypts the entire session if
you tell it to, which is the default for most applications, including
OpenLDAP. The only client I've ever seen that doesn't use encryption by
default is Sun's JNDI stuff.

Right, I stand corrected! This makes me very happy, because it means that I now have less work to do than I thought.

Thanks very much!