FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 12-06-2007, 12:09 PM
Timothy Murphy
 
Default openldap: SASL and/or TLS?

Still battling with openldap,
which I actually have working perfectly,
but which I still don't understand.

What exactly is the relation between SASL and TLS?
Are they alternative methods of authentication,
or are they complementary in some way?

Presently I'm just using TLS.

Any illumination gratefully received.


--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 12-06-2007, 01:41 PM
Craig White
 
Default openldap: SASL and/or TLS?

On Thu, 2007-12-06 at 13:09 +0000, Timothy Murphy wrote:
> Still battling with openldap,
> which I actually have working perfectly,
> but which I still don't understand.
>
> What exactly is the relation between SASL and TLS?
> Are they alternative methods of authentication,
> or are they complementary in some way?
>
> Presently I'm just using TLS.
>
> Any illumination gratefully received.
----
TLS is encryption method
SASL is an authentication method

with reference to all recent Fedora versions (6/7/8), the openldap admin
guide is here...

http://www.openldap.org/doc/admin23/

or more specifically (SASL)
http://www.openldap.org/doc/admin23/sasl.html
OpenLDAP clients and servers are capable of authenticating via the
Simple Authentication and Security Layer (SASL) framework, which is
detailed in RFC2222. This chapter describes how to make use of SASL in
OpenLDAP.

and here...
http://www.openldap.org/doc/admin23/tls.html
OpenLDAP clients and servers are capable of using the Transport Layer
Security (TLS) framework to provide integrity and confidentiality
protections and to support LDAP authentication using the SASL EXTERNAL
mechanism.

Craig

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 12-06-2007, 11:44 PM
Timothy Murphy
 
Default openldap: SASL and/or TLS?

Craig White wrote:

>> What exactly is the relation between SASL and TLS?
>> Are they alternative methods of authentication,
>> or are they complementary in some way?
>>
>> Presently I'm just using TLS.
>>
>> Any illumination gratefully received.
> ----
> TLS is encryption method
> SASL is an authentication method

OK, thanks for responding yet again.
You've said that before,
but it seems to me that encryption necessarily involves,
or requires, authentication.

> with reference to all recent Fedora versions (6/7/8), the openldap admin
> guide is here...
>
> http://www.openldap.org/doc/admin23/

I have been looking at that.
But I'll study it further.

> or more specifically (SASL)
> http://www.openldap.org/doc/admin23/sasl.html
> OpenLDAP clients and servers are capable of authenticating via the
> Simple Authentication and Security Layer (SASL) framework, which is
> detailed in RFC2222. This chapter describes how to make use of SASL in
> OpenLDAP.

Yes, I did see that.
But it wasn't clear to me if the openldap user
was actually being advised to use SASL.
As a matter of interest, do you advise it?

> and here...
> http://www.openldap.org/doc/admin23/tls.html
> OpenLDAP clients and servers are capable of using the Transport Layer
> Security (TLS) framework to provide integrity and confidentiality
> protections and to support LDAP authentication using the SASL EXTERNAL
> mechanism.

So it seems that this document at least
recommends the use of SASL + TLS?


--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 12-07-2007, 04:05 AM
Craig White
 
Default openldap: SASL and/or TLS?

On Fri, 2007-12-07 at 00:44 +0000, Timothy Murphy wrote:
> Craig White wrote:
>
> >> What exactly is the relation between SASL and TLS?
> >> Are they alternative methods of authentication,
> >> or are they complementary in some way?
> >>
> >> Presently I'm just using TLS.
> >>
> >> Any illumination gratefully received.
> > ----
> > TLS is encryption method
> > SASL is an authentication method
>
> OK, thanks for responding yet again.
> You've said that before,
> but it seems to me that encryption necessarily involves,
> or requires, authentication.
>
> > with reference to all recent Fedora versions (6/7/8), the openldap admin
> > guide is here...
> >
> > http://www.openldap.org/doc/admin23/
>
> I have been looking at that.
> But I'll study it further.
>
> > or more specifically (SASL)
> > http://www.openldap.org/doc/admin23/sasl.html
> > OpenLDAP clients and servers are capable of authenticating via the
> > Simple Authentication and Security Layer (SASL) framework, which is
> > detailed in RFC2222. This chapter describes how to make use of SASL in
> > OpenLDAP.
>
> Yes, I did see that.
> But it wasn't clear to me if the openldap user
> was actually being advised to use SASL.
> As a matter of interest, do you advise it?
>
> > and here...
> > http://www.openldap.org/doc/admin23/tls.html
> > OpenLDAP clients and servers are capable of using the Transport Layer
> > Security (TLS) framework to provide integrity and confidentiality
> > protections and to support LDAP authentication using the SASL EXTERNAL
> > mechanism.
>
> So it seems that this document at least
> recommends the use of SASL + TLS?
----
I think my first answer was to just use SSL (even though it is
supposedly deprecated) and be done with it.

I don't use SASL configuration as it has a level of complexity that
seems unnecessary. My only issue was to use encryption so as to not send
users/passwords over the LAN unencrypted and both SSL and TLS can do
that without much effort.

Craig

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 12-07-2007, 05:11 AM
Tim
 
Default openldap: SASL and/or TLS?

On Fri, 2007-12-07 at 00:44 +0000, Timothy Murphy wrote:
> it seems to me that encryption necessarily involves,
> or requires, authentication.

Generically, no... It just means the traffic is encrypted, whatever it
is. e.g. I can look at bugzilla using a HTTPS connection, but I haven't
logged in, so it doesn't know who I am. That's encryption without
authentication.

But if you, then, authenticate in some way through that encrypted
connection, you get both. i.e. You log on.

--

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.



--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 12-07-2007, 06:20 PM
Timothy Murphy
 
Default openldap: SASL and/or TLS?

Craig White wrote:

> I don't use SASL configuration as it has a level of complexity that
> seems unnecessary. My only issue was to use encryption so as to not send
> users/passwords over the LAN unencrypted and both SSL and TLS can do
> that without much effort.

Thanks very much.
That is enough for me - goodbye SASL, hallo TLS.



--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 12-07-2007, 06:22 PM
Timothy Murphy
 
Default openldap: SASL and/or TLS?

Tim wrote:

>> it seems to me that encryption necessarily involves,
>> or requires, authentication.
>
> Generically, no... It just means the traffic is encrypted, whatever it
> is. e.g. I can look at bugzilla using a HTTPS connection, but I haven't
> logged in, so it doesn't know who I am. That's encryption without
> authentication.
>
> But if you, then, authenticate in some way through that encrypted
> connection, you get both. i.e. You log on.

Yes, I was being silly -
I was thinking, there is no point in encrypting data
if you tell everyone how to decrypt it.
But I suppose there is a point to that -
namely, ensuring that the data is kosher.




--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 

Thread Tools




All times are GMT. The time now is 03:07 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org