Thank you for the details. Is there work going on to determine the correct
strength for GSSAPI ? 56 bit is there only because very old
implementation did only DES. Now you can have RC4, AES, etc...
Thank you
Markus
"Dan White" <dwhite@xxxxxxx> wrote in message
news:493B0061.1010202@xxxxxxxxxx
Markus Moeller wrote:
Dieter,
It doesn't work as you described or GSSAPI is weaker than DIGEST-MD5
With /etc/sasl2/slapd.conf
mech_list: gssapi digest-md5 external
I get:
# ldapsearch -h localhost -b "" -s base +
SASL/DIGEST-MD5 authentication started
Please enter your password:
Markus,
SASL is a server-offers - client-chooses specification. DIGEST-MD5 is a
256 bit mechanism and GSSAPI is a 56 bit mechanism, so DIGEST-MD5 may be
preferred if no mechanism, or security properties, are specified.
See the manpage for ldap.conf to force a default SASL mechanism for the
OpenLDAP client utilities.
You can put 'SASL_MECH GSSAPI' within ~/.ldaprc.
- Dan
