Re: Kerberos/LDAP/SASL central authentication server howto

[Andreas <andreas@conectiva.com.br>]

On Mon, Aug 09, 2004 at 02:38:21PM +0200, Tarjei Huse wrote:
> ?? I didn't know , sorry. Please tell me more on how I can use GSSAPI instead of
> tls to secure not only authentication but everything that happens over the
> wire.

It really depends on the client tool. Not only does GSSAPI provide this, DIGEST-MD5
also.

Examples of such tools that I'm 100% aware of are ldapsearch and mutt when doing SASL
authentication.

With ldapsearch, for example:
$ ldapsearch -h ldap.server | head -5
SASL/GSSAPI authentication started
SASL username: andreas@DISTRO.CONECTIVA
SASL SSF: 56  <---------- encrypted channel (only 56 bits though)
SASL installing layers
(...)

With digest-md5:
$ ldapsearch -h ldap.server -Y digest-md5 | head -5
SASL/DIGEST-MD5 authentication started
Please enter your password:
SASL username: andreas
SASL SSF: 128  <---------------------
SASL installing layers
(...)

But Kmail, for example, even though supporting DIGEST-MD5, does not encrypt the
rest of the traffic. That is, it doesn't request this additional layer of
security.