[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authenticate to ldap using Kerberos

To: Dan White <dwhite@olp.net>
Subject: Re: Authenticate to ldap using Kerberos
From: Russ Allbery <rra@stanford.edu>
Date: Thu, 09 Sep 2010 21:37:39 -0700
Cc: openldap-technical@openldap.org
In-reply-to: <20100910040201.GA5490@dan.olp.net> (Dan White's message of "Thu, 9 Sep 2010 23:02:01 -0500")
Organization: The Eyrie
References: <1283998880.31888.2.camel@cashew.squirrel> <20100909023432.GC2687@dan.olp.net> <1284005848.2999.1.camel@cashew.squirrel> <20100909043846.GE2687@dan.olp.net> <1284007636.3750.1.camel@cashew.squirrel> <20100909134716.GB2853@dan.olp.net> <3a61cee047cc8df6026a1bb4d219c533@squirrel-systems.com> <87hbhy7r1m.fsf@magenta.l4b.de> <1284086226.9542.45.camel@cashew.squirrel> <878w3axpqo.fsf@windlord.stanford.edu> <20100910040201.GA5490@dan.olp.net>
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/23.2 (gnu/linux)

Dan White <dwhite@olp.net> writes:

> If it didn't support TLS, I'd think that'd be a much more urgent focus
> (GSSAPI only provides 56 bits of encryption).

Incidentally, where are you getting this?  If you use Kerberos with GSSAPI
and AES keys, you get 128-bit encryption so far as I can see.  RFC 4121
defers to the Kerberos crypto specification for the encryption, and RFC
3962 definitely doesn't artificially limit the encryption strength of AES
to 56 bits.

SASL reports a security factor of 56, but I believe that's just because
there's no good way at present of getting the actual security factor
bubbled up to the SASL layer so that it can report it properly to the
application.  I don't believe that's an accurate reflection of the on-wire
encryption.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>

References:
- Re: Authenticate to ldap using Kerberos
  - From: Dan White <dwhite@olp.net>
- Re: Authenticate to ldap using Kerberos
  - From: Wouter van Marle <wouter@squirrel-systems.com>
- Re: Authenticate to ldap using Kerberos
  - From: Dan White <dwhite@olp.net>
- Re: Authenticate to ldap using Kerberos
  - From: Wouter van Marle <wouter@squirrel-systems.com>
- Re: Authenticate to ldap using Kerberos
  - From: Dan White <dwhite@olp.net>
- Re: Authenticate to ldap using Kerberos
  - From: Wouter van Marle <wouter@squirrel-systems.com>
- Re: Authenticate to ldap using Kerberos
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: Authenticate to ldap using Kerberos
  - From: Wouter van Marle <wouter@squirrel-systems.com>
- Re: Authenticate to ldap using Kerberos
  - From: Russ Allbery <rra@stanford.edu>
- Re: Authenticate to ldap using Kerberos
  - From: Dan White <dwhite@olp.net>

Prev by Date: Re: Authenticate to ldap using Kerberos
Next by Date: Re: Authenticate to ldap using Kerberos
Index(es):
- Chronological
- Thread