Simple Bind only in secured channel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dael Maselli wrote:
> 
> I _need_ also to support GSSAPI auth, and it doesn't work with SSL!

Do you mean you require SASL bind with GSSAPI within the LDAP connection?

The Kerberos authentication itself is not affected by SSL anyway since 
the traffic between clients, KDC and servers is protected by shared secrets.

> I don't know so much the LDAP protocol, I though the client asks for
> capabilities the server when connect, so if is possible do hide the simple
> bind capability in clear channel the clients doesn't try simple bind. No?

A well-implemented LDAP client does not send a bind request before 
trying StartTLS ext. op. It simply trys StartTLS if configured to do so 
(and without looking at the server's capability which could have been 
spoofed by an attacker).

But frankly, sometimes when examining what LDAP client applications 
(even the ones shipped by expensive big vendors) send on the wire I'm 
asking myself what the client developers have smoked before implementing 
their application.

So, no you can't prevent a client application from misbehaving when 
allowing port 389 and requiring StartTLS.

Ciao, Michael.




[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux