[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Antwort: OpenLDAP exclusively on SSL [Virus checked]
ons, 24.03.2004 kl. 16.49 skrev Quanah Gibson-Mount:
> > 1) What happens when a client connects over unencrypted channel, and
> > authorises using SASL (for instance SASL/GSSAPI). Does the whole traffic
> > automatically become encrypted afterwards (i.e. does this automatically
> > starts TLS), or not?
>
> No. It depends on 2 things:
>
> 1) The encryption strength of your K5 keys
> 2) If the client doing the bind has turned on encryption.
>
> So you can have more or less encryption based on 1, and you can have no
> encryption based on 2.
>
> Because of this, Stanford uses the sasl_ssf flag in all its ACL's, forcing
> encryption for all the data, so that if someone has not turned on
> encryption, they cannot get data, even if they can successfully bind via
> SASL/GSSAPI.
What do you mean by "encryption" here? Is this (let's say SSL/TLS) data
encryption, over the wire, or simply that data in is encrypted? If the
latter, what is the expense of the latter compared to SSL/TLS? Which is
preferable from a data security point of view?
O.k., this has nothing to do with Openldap software ... etc. Take it
that you know the umich subscribe address, I just gave it to Thomas
Gagné.
Best,
--Tonni
--
mail: billy - at - billy.demon.nl
http://www.billy.demon.nl