On Tue, Feb 06, 2007 at 09:22:40AM -0500, Grok Mogger wrote: > > The LDAP client usually just sends all data (passwords > included!) in the clear to the LDAP server. This is bad. SASL > encrypts all the communication between the client and server. > Right, but your passwords should be hashed anyways. > Okay, now if I've at least got that much right.... > > 1) How do I make the client and server use SASL? I was forever > at a loss on this. Never could find a How-To for it or > anything. (Every How-To I found on LDAP started off with > something to the effect of "SASL is beyond the scope of this > document" =P ) > Because even though SASL is the "simple" authentication and security layer, it is far from simple. > 2) Once I've enabled SASL (enabled? Is that even the right > term?) how can I see if it's working? > Personally, I just force everything (client and server) into using SSL. Then, when I want to do stuff like use the LDAP backend to also do authentication for parts of my website (that way users can use the same password to login and to access the site), I know that no matter what, everything is ecrypted. Also, IIRC, SASL can only encrypt the authentication part. So everything after that, including queries, are in the clear. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com
Attachment:
signature.asc
Description: Digital signature