Quoting Quanah Gibson-Mount quanah@zimbra.com:
Before I begin, let me say that, in this case, Kerberos only offers encrypted authentication and not data encryption for the OpenLDAP replication phase; for that it is necessary to set up a Certificate Authority and use TLS (LDAP over SSL, slapd on port 636).
You're wrong. Using SASL/GSSAPI fully encrypts the entire session if you tell it to, which is the default for most applications, including OpenLDAP. The only client I've ever seen that doesn't use encryption by default is Sun's JNDI stuff.
Right, I stand corrected! This makes me very happy, because it means that I now have less work to do than I thought.
Thanks very much!
Cheers,
Jaap