subject:"Re\: \[Fedora\-directory\-users\] SSL\/TLS vs SASL in Directory Server solution"

Re: [Fedora-directory-users] SSL/TLS vs SASL in Directory Server solution

2008-05-13 Thread David Boreham


Kenneth Holter wrote:
We're going for the TLS based solution. However, I'd like a better 
understanding of SASL, so let me post these questions:


* What can SASL be used for besides Kerberos integration?

SASL is a pluggable authentication framework, so it is a bit abstract 
when you read about it.
In theory you can use SASL to support any authentication mechanism you 
can think of
(smart cards, fingerprint scanners, etc etc). In practice, in the 
context of LDAP it is typically
used for Kerberos or as Rich pointed out one of the challenge-response 
authentication
mechanisms that prevent plaintext password exposure, such as Digest-MD5. 
To be honest
I'm not sure how much of either of these is widely deployed. I only ever 
see SSL/TLS

in the wild, outside of hard core Kerberos shops.

SASL was originally developed to allow
pluggable authentication to be added to protocols that had either no 
authentication at all,

or very weak support for authentication (IMAP and SMTP for example). In the
context of LDAP its value is less clear because LDAP already had well 
developed
support for SSL and cert-based auth, that for the most part removes the 
need for SASL.
In addition, since the LDAP server is generally itself the authoritative 
authentication
service, the pluggable SASL server mechanisms really don't make sense 
most of
the time (because the LDAP server doesn't want or need to ask any other 
entity

to take its authentication decisions for it).


* The RHDS documentation says that TLS can be used as an
  authentication mechanism, but doesn't provide much details.


There are two different ways to use TLS to facilitate authentication :
1) Use plain text passwords but with TLS protecting the traffic from 
eavesdropping, and providing

a way for clients to trust servers. This is what is used 99% of the time.
2) Cert-based authentication (similar to SSH keys if you've used that) 
where the DS authenticates
the client based on crypto, derived from the client being in possession 
of a suitable certificate.
This is used mostly in high security environments (with hardware tokens 
for example).


* How can I check if SASL is enabled on my LDAP server (RHDS)?


There's a way to get the list of supported SASL mechanisms from the rootDSE.
Another way is to attempt a SASL BIND operation with a client and see if 
it succeeds.
I can dig out the details on these later if you can't track them down 
with Google, if

I have some spare time...

From memory, the server always has the EXTERNAL (SSL) and digest 
mechanisms enabled.
Kerberos will be enabled if the machine is suitably configured (has 
Kerberos installed, configured
correctly, rubber chicken held above the console while chanting prayers 
to the security gods, etc).






--
Fedora-directory-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Re: [Fedora-directory-users] SSL/TLS vs SASL in Directory Server solution

2008-05-13 Thread Rich Megginson


Kenneth Holter wrote:

Thank you for the quick reply.
 
We're going for the TLS based solution. However, I'd like a better 
understanding of SASL, so let me post these questions:


* What can SASL be used for besides Kerberos integration?


The SASL mechanism Digest-MD5 is an LDAP standard authentication mechanism.


* The RHDS documentation says that TLS can be used as an
  authentication mechanism, but doesn't provide much details.

You can use an X.509 user certificate (cert) to authenticate to the 
server.  http://directory.fedoraproject.org/wiki/Howto:CertMapping


   *


* How can I check if SASL is enabled on my LDAP server (RHDS)?


It is enabled by default.
ldapsearch -x -s base -b "" "objectclass=*" supportedsaslmechanisms
 
On 5/13/08, *David Boreham* <[EMAIL PROTECTED] 
> wrote:


Kenneth Holter wrote:

The DS supports both TLS and SASL. TLS can be used for both
authentication and encryption, and should therefore cover our
security needs.
 SASL is quite new to me, and as of now I don't see the
benefit of using it. Which security or functionality features
does SASL provide that TLS doesn't? I know that SASL enables
integration with Kerberos, but we're most likely not going for
a Kerberos based solution.
 


SASL is primarily needed to support Kerberos clients.
Use TLS unless you already know that you want SASL for some reason.




--
Fedora-directory-users mailing list
[email protected]

https://www.redhat.com/mailman/listinfo/fedora-directory-users




--
Fedora-directory-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/fedora-directory-users
  




smime.p7s
Description: S/MIME Cryptographic Signature
--
Fedora-directory-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Re: [Fedora-directory-users] SSL/TLS vs SASL in Directory Server solution

2008-05-13 Thread Kenneth Holter

Thank you for the quick reply.

We're going for the TLS based solution. However, I'd like a better
understanding of SASL, so let me post these questions:

   - What can SASL be used for besides Kerberos integration? The RHDS
   documentation says that TLS can be used as an authentication mechanism, but
   doesn't provide much details.
   - How can I check if SASL is enabled on my LDAP server (RHDS)?


On 5/13/08, David Boreham <[EMAIL PROTECTED]> wrote:

> Kenneth Holter wrote:
>
> > The DS supports both TLS and SASL. TLS can be used for both
> > authentication and encryption, and should therefore cover our security
> > needs.
> >  SASL is quite new to me, and as of now I don't see the benefit of using
> > it. Which security or functionality features does SASL provide that TLS
> > doesn't? I know that SASL enables integration with Kerberos, but we're most
> > likely not going for a Kerberos based solution.
> >
> >
> SASL is primarily needed to support Kerberos clients.
> Use TLS unless you already know that you want SASL for some reason.
>
>
>
>
> --
> Fedora-directory-users mailing list
> [email protected]
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
--
Fedora-directory-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Re: [Fedora-directory-users] SSL/TLS vs SASL in Directory Server solution

2008-05-13 Thread David Boreham


Kenneth Holter wrote:
The DS supports both TLS and SASL. TLS can be used for both 
authentication and encryption, and should therefore cover our security 
needs.
 
SASL is quite new to me, and as of now I don't see the benefit of 
using it. Which security or functionality features does SASL provide 
that TLS doesn't? I know that SASL enables integration with Kerberos, 
but we're most likely not going for a Kerberos based solution.
 

SASL is primarily needed to support Kerberos clients.
Use TLS unless you already know that you want SASL for some reason.




--
Fedora-directory-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Re: [Fedora-directory-users] SSL/TLS vs SASL in Directory Server solution

Re: [Fedora-directory-users] SSL/TLS vs SASL in Directory Server solution

Re: [Fedora-directory-users] SSL/TLS vs SASL in Directory Server solution

Re: [Fedora-directory-users] SSL/TLS vs SASL in Directory Server solution

4 matches

Site Navigation

Mail list logo

Footer information