[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Antwort: OpenLDAP exclusively on SSL [Virus checked]





--On Wednesday, March 24, 2004 6:22 PM +0100 Tony Earnshaw <tonye@billy.demon.nl> wrote:

ons, 24.03.2004 kl. 16.49 skrev Quanah Gibson-Mount:

> 1) What happens when a client connects over unencrypted channel, and
> authorises using SASL (for instance SASL/GSSAPI). Does the whole
> traffic automatically become encrypted afterwards (i.e. does this
> automatically starts TLS), or not?

No.  It depends on 2 things:

1) The encryption strength of your K5 keys
2) If the client doing the bind has turned on encryption.

So you can have more or less encryption based on 1, and you can have no
encryption based on 2.

Because of this, Stanford uses the sasl_ssf flag in all its ACL's,
forcing  encryption for all the data, so that if someone has not turned
on  encryption, they cannot get data, even if they can successfully bind
via  SASL/GSSAPI.

What do you mean by "encryption" here? Is this (let's say SSL/TLS) data encryption, over the wire, or simply that data in is encrypted? If the latter, what is the expense of the latter compared to SSL/TLS? Which is preferable from a data security point of view?

O.k., this has nothing to do with Openldap software ... etc. Take it
that you know the umich subscribe address, I just gave it to Thomas
Gagné.

Hm, actually it has to do with how OpenLDAP operates, and how clients interact with OpenLDAP, so I'd say it applies to this list. ;)


By encryption, I mean encryption over the wire. Just like Kerberos login sessions are encrypted over the wire, the LDAP connection between the client and OpenLDAP server is also encrypted. You are just using a method other than SSL/TLS to do the over-the-wire encryption. If you turned on TLS/SSL in this case, you would be encrypting over the wire twice -- A bit of an overkill, I think.

From a security point of view, I'd say it depends on your encryption
strengths and requirements. ;)

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html