Kerberos/LDAP/SASL central authentication server howto

Markus Moeller huaraz at
Tue Aug 10 07:17:38 EDT 2004

I think you are right, SASL only protects the authentication exchange. I found also that cysus-sasl hard codes SSF 56 for GSSAPI. 
On Tue, 10 Aug 2004 12:47 , Nikola Milutinovic <Nikola.Milutinovic at> sent: 
>Markus Moeller wrote: 
>> Nikola,   
>> If you look athe the slapd.conf help you find:   
>> sasl-secprops   
>This is all fine, but it still refers to AUTHENTICATION protection. It  
>states nothing on the protection of data being transported AFTER the  
>authentication has been performed. And to my knowledge, only SSL/TLS  
>offer transport encryption 
>> I tried to use the -O minssf=128 with ldapsearch against AD, but get a failure although I use the latest heimdal library which 
>> rc4-hmac. I can see that I have an arcfour-hmac-md5 ticket for the ldap/server principal and would assume that rc4-hmace allows the  
>> higher encryption.  
>Perhaps MS ADS doesn't support anything that strong. It should support  
>GSS-API, which is at SSF:56. 
Markus Moeller <huaraz at> 

More information about the Info-cyrus mailing list