Re: Antwort: OpenLDAP exclusively on SSL [Virus checked]

[Tony Earnshaw <tonye@billy.demon.nl>]

ons, 24.03.2004 kl. 16.49 skrev Quanah Gibson-Mount:

> > 1) What happens when a client connects over unencrypted channel, and
> > authorises using SASL (for instance SASL/GSSAPI). Does the whole traffic
> > automatically become encrypted afterwards (i.e. does this automatically
> > starts TLS), or not?
> 
> No.  It depends on 2 things:
> 
> 1) The encryption strength of your K5 keys
> 2) If the client doing the bind has turned on encryption.
> 
> So you can have more or less encryption based on 1, and you can have no 
> encryption based on 2.
> 
> Because of this, Stanford uses the sasl_ssf flag in all its ACL's, forcing 
> encryption for all the data, so that if someone has not turned on 
> encryption, they cannot get data, even if they can successfully bind via 
> SASL/GSSAPI.

What do you mean by "encryption" here? Is this (let's say SSL/TLS) data
encryption, over the wire, or simply that data in is encrypted? If the
latter, what is the expense of the latter compared to SSL/TLS? Which is
preferable from a data security point of view?

O.k., this has nothing to do with Openldap software ... etc. Take it
that you know the umich subscribe address, I just gave it to Thomas
Gagné.

Best,

--Tonni

-- 

mail: billy - at - billy.demon.nl
http://www.billy.demon.nl