ons, 24.03.2004 kl. 16.49 skrev Quanah Gibson-Mount:
> 1) What happens when a client connects over unencrypted channel, and
> authorises using SASL (for instance SASL/GSSAPI). Does the whole
> traffic automatically become encrypted afterwards (i.e. does this
> automatically starts TLS), or not?
No. It depends on 2 things:
1) The encryption strength of your K5 keys
2) If the client doing the bind has turned on encryption.
So you can have more or less encryption based on 1, and you can have no
encryption based on 2.
Because of this, Stanford uses the sasl_ssf flag in all its ACL's,
forcing encryption for all the data, so that if someone has not turned
on encryption, they cannot get data, even if they can successfully bind
via SASL/GSSAPI.
What do you mean by "encryption" here? Is this (let's say SSL/TLS) data
encryption, over the wire, or simply that data in is encrypted? If the
latter, what is the expense of the latter compared to SSL/TLS? Which is
preferable from a data security point of view?
O.k., this has nothing to do with Openldap software ... etc. Take it
that you know the umich subscribe address, I just gave it to Thomas
Gagné.