[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Syncrepl with Kerberos support

To: Jaap Winius <jwinius@umrk.nl>, openldap-technical@openldap.org
Subject: Re: Syncrepl with Kerberos support
From: Quanah Gibson-Mount <quanah@zimbra.com>
Date: Mon, 11 Jan 2010 15:00:23 -0800
Content-disposition: inline
In-reply-to: <20100111203351.x1yl6l8drs8ocksg@www.umrk.nl>
References: <20100106015347.jyt5jb1ozpcwc8gg@www.umrk.nl> <20100111203351.x1yl6l8drs8ocksg@www.umrk.nl>

--On Monday, January 11, 2010 8:33 PM +0100 Jaap Winius <jwinius@umrk.nl>wrote:

Quoting Jaap Winius <jwinius@umrk.nl>:

Although I know how to configure syncrepl with the "simple" bindmethod,
using a clear-text password exchange and clear-text database
replication, and I know how to setup an provider server with MIT
Kerberos V encryption support, can anyone explain how to configure a
consumer so that syncrepl also uses Kerberos?


Okay, I'll answer this one myself.

Before I begin, let me say that, in this case, Kerberos only offers
encrypted authentication and not data encryption for the OpenLDAP
replication phase; for that it is necessary to set up a Certificate
Authority and use TLS (LDAP over SSL, slapd on port 636).

You're wrong. Using SASL/GSSAPI fully encrypts the entire session if youtell it to, which is the default for most applications, including OpenLDAP.The only client I've ever seen that doesn't use encryption by default isSun's JNDI stuff.


--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Follow-Ups:
- Re: Syncrepl with Kerberos support
  - From: Jaap Winius <jwinius@umrk.nl>

References:
- Syncrepl with Kerberos support
  - From: Jaap Winius <jwinius@umrk.nl>
- Re: Syncrepl with Kerberos support
  - From: Jaap Winius <jwinius@umrk.nl>

Prev by Date: Re: Compiling OpenLDAP 2.4.21 on RHEL 5
Next by Date: Re: Syncrepl with Kerberos support
Index(es):
- Chronological
- Thread