[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Kerberos/LDAP/SASL central authentication server howto
Nikola,
I think you are right, SASL only protects the authentication exchange. I found also that cysus-sasl hard codes SSF 56 for GSSAPI.
Thanks
Markus
On Tue, 10 Aug 2004 12:47 , Nikola Milutinovic <Nikola.Milutinovic@ev.co.yu> sent:
>Markus Moeller wrote:
>
>> Nikola,
>>
>> If you look athe the slapd.conf help you find:
>>
>> sasl-secprops
>
>This is all fine, but it still refers to AUTHENTICATION protection. It
>states nothing on the protection of data being transported AFTER the
>authentication has been performed. And to my knowledge, only SSL/TLS
>offer transport encryption
>
>> I tried to use the -O minssf=128 with ldapsearch against AD, but get a failure although I use the latest heimdal library which
supports
>> rc4-hmac. I can see that I have an arcfour-hmac-md5 ticket for the ldap/server principal and would assume that rc4-hmace allows the
>> higher encryption.
>
>Perhaps MS ADS doesn't support anything that strong. It should support
>GSS-API, which is at SSF:56.
>
>Nix.
--
Markus Moeller <huaraz@moeller.plus.com>