From: Markus Moeller (no email)
Date: Sun Dec 07 2008 - 08:03:17 EST
Thank you for the details. Is there work going on to determine the correct
strength for GSSAPI ? 56 bit is there only because very old
implementation did only DES. Now you can have RC4, AES, etc...
"Dan White" <> wrote in message
> Markus Moeller wrote:
>> It doesn't work as you described or GSSAPI is weaker than DIGEST-MD5
>> With /etc/sasl2/slapd.conf
>> mech_list: gssapi digest-md5 external
>> I get:
>> # ldapsearch -h localhost -b "" -s base +
>> SASL/DIGEST-MD5 authentication started
>> Please enter your password:
> SASL is a server-offers - client-chooses specification. DIGEST-MD5 is a
> 256 bit mechanism and GSSAPI is a 56 bit mechanism, so DIGEST-MD5 may be
> preferred if no mechanism, or security properties, are specified.
> See the manpage for ldap.conf to force a default SASL mechanism for the
> OpenLDAP client utilities.
> You can put 'SASL_MECH GSSAPI' within ~/.ldaprc.
> - Dan