On Fri, 2007-12-07 at 00:44 +0000, Timothy Murphy wrote: > Craig White wrote: > > >> What exactly is the relation between SASL and TLS? > >> Are they alternative methods of authentication, > >> or are they complementary in some way? > >> > >> Presently I'm just using TLS. > >> > >> Any illumination gratefully received. > > ---- > > TLS is encryption method > > SASL is an authentication method > > OK, thanks for responding yet again. > You've said that before, > but it seems to me that encryption necessarily involves, > or requires, authentication. > > > with reference to all recent Fedora versions (6/7/8), the openldap admin > > guide is here... > > > > http://www.openldap.org/doc/admin23/ > > I have been looking at that. > But I'll study it further. > > > or more specifically (SASL) > > http://www.openldap.org/doc/admin23/sasl.html > > OpenLDAP clients and servers are capable of authenticating via the > > Simple Authentication and Security Layer (SASL) framework, which is > > detailed in RFC2222. This chapter describes how to make use of SASL in > > OpenLDAP. > > Yes, I did see that. > But it wasn't clear to me if the openldap user > was actually being advised to use SASL. > As a matter of interest, do you advise it? > > > and here... > > http://www.openldap.org/doc/admin23/tls.html > > OpenLDAP clients and servers are capable of using the Transport Layer > > Security (TLS) framework to provide integrity and confidentiality > > protections and to support LDAP authentication using the SASL EXTERNAL > > mechanism. > > So it seems that this document at least > recommends the use of SASL + TLS? ---- I think my first answer was to just use SSL (even though it is supposedly deprecated) and be done with it. I don't use SASL configuration as it has a level of complexity that seems unnecessary. My only issue was to use encryption so as to not send users/passwords over the LAN unencrypted and both SSL and TLS can do that without much effort. Craig
