--On Monday, January 11, 2010 8:33 PM +0100 Jaap Winius jwinius@umrk.nl wrote:
Quoting Jaap Winius jwinius@umrk.nl:
Although I know how to configure syncrepl with the "simple" bindmethod, using a clear-text password exchange and clear-text database replication, and I know how to setup an provider server with MIT Kerberos V encryption support, can anyone explain how to configure a consumer so that syncrepl also uses Kerberos?
Okay, I'll answer this one myself.
Before I begin, let me say that, in this case, Kerberos only offers encrypted authentication and not data encryption for the OpenLDAP replication phase; for that it is necessary to set up a Certificate Authority and use TLS (LDAP over SSL, slapd on port 636).
You're wrong. Using SASL/GSSAPI fully encrypts the entire session if you tell it to, which is the default for most applications, including OpenLDAP. The only client I've ever seen that doesn't use encryption by default is Sun's JNDI stuff.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration