Kerberos/LDAP/SASL central authentication server howto
huaraz at moeller.plus.com
Tue Aug 10 07:17:38 EDT 2004
I think you are right, SASL only protects the authentication exchange. I found also that cysus-sasl hard codes SSF 56 for GSSAPI.
On Tue, 10 Aug 2004 12:47 , Nikola Milutinovic <Nikola.Milutinovic at ev.co.yu> sent:
>Markus Moeller wrote:
>> If you look athe the slapd.conf help you find:
>This is all fine, but it still refers to AUTHENTICATION protection. It
>states nothing on the protection of data being transported AFTER the
>authentication has been performed. And to my knowledge, only SSL/TLS
>offer transport encryption
>> I tried to use the -O minssf=128 with ldapsearch against AD, but get a failure although I use the latest heimdal library which
>> rc4-hmac. I can see that I have an arcfour-hmac-md5 ticket for the ldap/server principal and would assume that rc4-hmace allows the
>> higher encryption.
>Perhaps MS ADS doesn't support anything that strong. It should support
>GSS-API, which is at SSF:56.
Markus Moeller <huaraz at moeller.plus.com>
More information about the Info-cyrus