is that common to use kerberos authentication for SUN iplanet LDAP server?

Wachdorf, Daniel R drwachd at sandia.gov
Thu Sep 1 15:50:47 EDT 2005


Whether a directory can do SASL/GSSAPI data privacy and/or integrity is
directory server specific.  Some directories (AD) support privacy and/or
integrity protection.  Others (Sun) don't, so you must use SSL. 

One other thing to be aware of is that clients and downgrade the privacy
and integrity protection.  If clients can do downgrade the data
protection, it makes me wonder if an attacker can downgrade the session.
I haven't looked into it enough.

-dan

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of Markus Moeller
Sent: Thursday, September 01, 2005 1:24 PM
To: kerberos at mit.edu
Subject: Re: is that common to use kerberos authentication for SUN
iplanet LDAP server?

Craig,

you say you use SASL + SSL. As far as I know SASL/GSSAPI can do
encryption 
too. What was the reason not to use SASL/GSSAPI with encryption. And
example 
is AD, which can be accessed via SASL/GSSAPI with encryption.

Thanks
Markus

"Craig Huckabee" <huck at spawar.navy.mil> wrote in message 
news:4316DEC8.5060809 at spawar.navy.mil...
> Kent Wu wrote:
>>
>>    So my question is that is it pretty easy to enable Kerberos for
SUN 
>> LDAP after installing SEAM? Or can SUN LDAP use other KDC as well?
>
>   We use Sun's LDAP server with PADL's GSSAPI plugin - we built our
copy 
> against MIT Kerberos 1.3.x and use MIT KDCs.  I think the binary
versions 
> they sold previously also use MIT Kerberos.
>
>   We now have several processes that regularly use only GSSAPI/SASL
over 
> SSL to authenticate and communicate with LDAP.  Works very well.
>
> HTH,
> Craig
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 



________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos





More information about the Kerberos mailing list