Re: ldap + pam howto?

Tue, 06 Feb 2007 07:56:54 -0800 

Roberto C. Sanchez wrote:

On Tue, Feb 06, 2007 at 09:22:40AM -0500, Grok Mogger wrote:
The LDAP client usually just sends all data (passwords included!) in the clear to the LDAP server. This is bad. SASL encrypts all the communication between the client and server. 


Right, but your passwords should be hashed anyways.


Okay, now if I've at least got that much right....


1) How do I make the client and server use SASL?  I was forever 
at a loss on this.  Never could find a How-To for it or 
anything.  (Every How-To I found on LDAP started off with 
something to the effect of "SASL is beyond the scope of this 
document"  =P  )



Because even though SASL is the "simple" authentication and security
layer, it is far from simple.


2) Once I've enabled SASL (enabled?  Is that even the right 
term?) how can I see if it's working?



Personally, I just force everything (client and server) into using SSL.
Then, when I want to do stuff like use the LDAP backend to also do
authentication for parts of my website (that way users can use the same
password to login and to access the site), I know that no matter what,
everything is ecrypted.  Also, IIRC, SASL can only encrypt the
authentication part.  So everything after that, including queries, are
in the clear.

Regards,

-Roberto




So forget SASL and just send everything through an SSL tunnel? 
So you'd do something like this on the client... "ssh -L 
7777:LDAPServer:$LDAPServerPORT -N [EMAIL PROTECTED]", and then 
setup the LDAP client to send everything to the client's own 
7777 port?  And do something similar on the server.  Is that right?



The thought had occurred to me, but SASL sounded like it was 
what I was *supposed* to do.  If someone experienced out there 
is doing this though, then I'm fine with that.  Sounds like it 
might be a better solution anyway.


Thanks for helping me out,
- GM


--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.17.28/672 - Release Date: 2/6/2007 10:22 
AM


--

To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
























					Reply via email to