From: Markus Moeller (no email)
Date: Sun Dec 07 2008 - 08:03:17 EST
Thank you for the details. Is there work going on to determine the correct
strength for GSSAPI ? 56 bit is there only because very old
implementation did only DES. Now you can have RC4, AES, etc...
Thank you
Markus
"Dan White" <> wrote in message
news:...
> Markus Moeller wrote:
>> Dieter,
>>
>> It doesn't work as you described or GSSAPI is weaker than DIGEST-MD5
>>
>> With /etc/sasl2/slapd.conf
>> mech_list: gssapi digest-md5 external
>>
>> I get:
>>
>> # ldapsearch -h localhost -b "" -s base +
>> SASL/DIGEST-MD5 authentication started
>> Please enter your password:
>
> Markus,
>
> SASL is a server-offers - client-chooses specification. DIGEST-MD5 is a
> 256 bit mechanism and GSSAPI is a 56 bit mechanism, so DIGEST-MD5 may be
> preferred if no mechanism, or security properties, are specified.
>
> See the manpage for ldap.conf to force a default SASL mechanism for the
> OpenLDAP client utilities.
>
> You can put 'SASL_MECH GSSAPI' within ~/.ldaprc.
>
> - Dan
>
|
|
|