Re: Antwort: OpenLDAP exclusively on SSL [Virus checked]

[Tony Earnshaw <tonye@billy.demon.nl>]

ons, 24.03.2004 kl. 19.45 skrev Quanah Gibson-Mount:

> > What do you mean by "encryption" here? Is this (let's say SSL/TLS) data
> > encryption, over the wire, or simply that data in is encrypted? If the
> > latter, what is the expense of the latter compared to SSL/TLS? Which is
> > preferable from a data security point of view?
> >
> > O.k., this has nothing to do with Openldap software ... etc. Take it
> > that you know the umich subscribe address, I just gave it to Thomas
> > Gagné.
> 
> Hm, actually it has to do with how OpenLDAP operates, and how clients 
> interact with OpenLDAP, so I'd say it applies to this list. ;)

I have this nervous twitch, nowadays.

> By encryption, I mean encryption over the wire.  Just like Kerberos login 
> sessions are encrypted over the wire, the LDAP connection between the 
> client and OpenLDAP server is also encrypted.  You are just using a method 
> other than SSL/TLS to do the over-the-wire encryption.  If you turned on 
> TLS/SSL in this case, you would be encrypting over the wire twice -- A bit 
> of an overkill, I think.

What is it that's doing the encryption/de-encryption, then? Is that
Kerberos (I dunno, I've never used it. Of course I could read up, but at
the moment I don't need it, might tomorrow)

> >From a security point of view, I'd say it depends on your encryption 
> strengths and requirements. ;)

Maybe I should read the docs again. My demands are for SSL/TLS.

--Tonni

-- 

mail: billy - at - billy.demon.nl
http://www.billy.demon.nl