[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: KerberLDAP (Re: openbsd yp security)



> So this means that you want to bind to the LDAP server
> over a secure connection.  I've used pocket networks and
> clear text [pocket network: a very private network on another
> interface - often a slave LDAP server that's dedicated to that
> chunk of infrastructure (email for me)].
> 
> Given that my boxes often had a long term relationship with
> the LDAP server(s), IPSEC can make sense.  The sort of worse
> case is the most common case of LDAP/SSL.  Very expensive and
> LDAP servers don't benefit too much from rainbow cards for
> these very short lived connections.  Cleartext is not an
> acceptable option ever.  YP is even better than that <shudder>.

Another possibility here is an SSL tunnel between the LDAP client
and server.  Let 'stunnel' do the the heavy crypto lifting and
leave the LDAP software to do the directory thing.

David S.



Visit your host, monkey.org