Michael Ströder, on 15/06/2008 13.30, wrote:
Dael Maselli wrote:I _need_ also to support GSSAPI auth, and it doesn't work with SSL!Do you mean you require SASL bind with GSSAPI within the LDAP connection?
Yes.
The Kerberos authentication itself is not affected by SSL anyway since the traffic between clients, KDC and servers is protected by shared secrets.
Yes, but I remember that if I do something like `ldapsearch -Y GSSAPI -h ldaps://server:636` it says that GSSAPI is not supported over SSL. Am I wrong?
I don't know so much the LDAP protocol, I though the client asks forcapabilities the server when connect, so if is possible do hide the simplebind capability in clear channel the clients doesn't try simple bind. No?A well-implemented LDAP client does not send a bind request before trying StartTLS ext. op. It simply trys StartTLS if configured to do so (and without looking at the server's capability which could have been spoofed by an attacker).But frankly, sometimes when examining what LDAP client applications (even the ones shipped by expensive big vendors) send on the wire I'm asking myself what the client developers have smoked before implementing their application.So, no you can't prevent a client application from misbehaving when allowing port 389 and requiring StartTLS.Ciao, Michael. -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- ___________________________________________________________________ Dael Maselli --- INFN-LNF Computing Service -- +39.06.9403.2214 ___________________________________________________________________ Democracy is two wolves and a lamb voting on what to have for lunch ___________________________________________________________________
<<attachment: smime.p7s>>
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
