[24585] in Kerberos
RE: is that common to use kerberos authentication for SUN
daemon@ATHENA.MIT.EDU (Wachdorf, Daniel R)
Thu Sep 1 16:45:47 2005
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Thu, 1 Sep 2005 13:50:47 -0600
Message-ID: <80A84CB5E834D4439556D1F64A1FEB83012AAA03@ES20SNLNT.srn.sandia.gov>
From: "Wachdorf, Daniel R" <drwachd@sandia.gov>
To: "Markus Moeller" <huaraz@moeller.plus.com>, kerberos@mit.edu
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: 8bit
Errors-To: kerberos-bounces@mit.edu
Whether a directory can do SASL/GSSAPI data privacy and/or integrity is
directory server specific. Some directories (AD) support privacy and/or
integrity protection. Others (Sun) don't, so you must use SSL.
One other thing to be aware of is that clients and downgrade the privacy
and integrity protection. If clients can do downgrade the data
protection, it makes me wonder if an attacker can downgrade the session.
I haven't looked into it enough.
-dan
-----Original Message-----
From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On
Behalf Of Markus Moeller
Sent: Thursday, September 01, 2005 1:24 PM
To: kerberos@mit.edu
Subject: Re: is that common to use kerberos authentication for SUN
iplanet LDAP server?
Craig,
you say you use SASL + SSL. As far as I know SASL/GSSAPI can do
encryption
too. What was the reason not to use SASL/GSSAPI with encryption. And
example
is AD, which can be accessed via SASL/GSSAPI with encryption.
Thanks
Markus
"Craig Huckabee" <huck@spawar.navy.mil> wrote in message
news:4316DEC8.5060809@spawar.navy.mil...
> Kent Wu wrote:
>>
>> So my question is that is it pretty easy to enable Kerberos for
SUN
>> LDAP after installing SEAM? Or can SUN LDAP use other KDC as well?
>
> We use Sun's LDAP server with PADL's GSSAPI plugin - we built our
copy
> against MIT Kerberos 1.3.x and use MIT KDCs. I think the binary
versions
> they sold previously also use MIT Kerberos.
>
> We now have several processes that regularly use only GSSAPI/SASL
over
> SSL to authenticate and communicate with LDAP. Works very well.
>
> HTH,
> Craig
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos