On Tue, Feb 06, 2007 at 09:22:40AM -0500, Grok Mogger wrote:
The LDAP client usually just sends all data (passwords
included!) in the clear to the LDAP server. This is bad. SASL
encrypts all the communication between the client and server.
Right, but your passwords should be hashed anyways.
Okay, now if I've at least got that much right....
1) How do I make the client and server use SASL? I was forever
at a loss on this. Never could find a How-To for it or
anything. (Every How-To I found on LDAP started off with
something to the effect of "SASL is beyond the scope of this
document" =P )
Because even though SASL is the "simple" authentication and security
layer, it is far from simple.
2) Once I've enabled SASL (enabled? Is that even the right
term?) how can I see if it's working?
Personally, I just force everything (client and server) into using SSL.
Then, when I want to do stuff like use the LDAP backend to also do
authentication for parts of my website (that way users can use the same
password to login and to access the site), I know that no matter what,
everything is ecrypted. Also, IIRC, SASL can only encrypt the
authentication part. So everything after that, including queries, are
in the clear.
Regards,
-Roberto