Question regarding order of SASL authentication mechanisms

Markus Moeller huaraz at moeller.plus.com
Sun Dec 7 08:03:17 EST 2008


Thank you for the details. Is there work going on to determine the correct 
strength for GSSAPI ?   56 bit  is there only because very old 
implementation did only DES. Now you can have RC4, AES, etc...

Thank you
Markus

"Dan White" <dwhite at olp.net> wrote in message 
news:493B0061.1010202 at olp.net...
> Markus Moeller wrote:
>> Dieter,
>>
>> It  doesn't work as you described or GSSAPI is weaker than DIGEST-MD5
>>
>> With /etc/sasl2/slapd.conf
>> mech_list: gssapi digest-md5 external
>>
>> I get:
>>
>> # ldapsearch -h localhost -b "" -s base +
>> SASL/DIGEST-MD5 authentication started
>> Please enter your password:
>
> Markus,
>
> SASL is a server-offers - client-chooses specification. DIGEST-MD5 is a 
> 256 bit mechanism and GSSAPI is a 56 bit mechanism, so DIGEST-MD5 may be 
> preferred if no mechanism, or security properties, are specified.
>
> See the manpage for ldap.conf to force a default SASL mechanism for the 
> OpenLDAP client utilities.
>
> You can put 'SASL_MECH GSSAPI' within ~/.ldaprc.
>
> - Dan
> 




More information about the Cyrus-sasl mailing list