Question regarding order of SASL authentication mechanisms
Markus Moeller
huaraz at moeller.plus.com
Sun Dec 7 08:03:17 EST 2008
Thank you for the details. Is there work going on to determine the correct
strength for GSSAPI ? 56 bit is there only because very old
implementation did only DES. Now you can have RC4, AES, etc...
Thank you
Markus
"Dan White" <dwhite at olp.net> wrote in message
news:493B0061.1010202 at olp.net...
> Markus Moeller wrote:
>> Dieter,
>>
>> It doesn't work as you described or GSSAPI is weaker than DIGEST-MD5
>>
>> With /etc/sasl2/slapd.conf
>> mech_list: gssapi digest-md5 external
>>
>> I get:
>>
>> # ldapsearch -h localhost -b "" -s base +
>> SASL/DIGEST-MD5 authentication started
>> Please enter your password:
>
> Markus,
>
> SASL is a server-offers - client-chooses specification. DIGEST-MD5 is a
> 256 bit mechanism and GSSAPI is a 56 bit mechanism, so DIGEST-MD5 may be
> preferred if no mechanism, or security properties, are specified.
>
> See the manpage for ldap.conf to force a default SASL mechanism for the
> OpenLDAP client utilities.
>
> You can put 'SASL_MECH GSSAPI' within ~/.ldaprc.
>
> - Dan
>
More information about the Cyrus-sasl
mailing list