1

I am running OpenLDAP 2.4 on a Debian jessie system. Clients typically connect to this LDAP server over port 389 using SASL/GSSAPI with our Kerberos infrastructure.

When a client connects using SASL/GSSAPI, how should they connect to be sure that the sessions are encrypted? Or are SASL/GSSAPI sessions automatically encrypted?

user35042
  • 2,681
  • 12
  • 34
  • 60

1 Answers1

0

SASL/GSSAPI is an authentication mean, only authentication. If you want encrypted data exchange throughout the session, you should use TLS configuration of your openldap server. This is clearly not the case since you speak about the port 389. Your server should listen the port 636 (ldaps) by default for encrypted session.

Abdelhamid MEDDEB
  • 501
  • 4
  • 5
  • Thanks for that answer. As I learned subsequent to my posting this question, after connecting via GSSAPI over port 389 one can do a STARTTLS to get an encrypted session. – user35042 Aug 04 '16 at 12:26
  • Yes, Start/TLS allows you to have a session with encrypted exchanges over another port (636 default one). – Abdelhamid MEDDEB Aug 05 '16 at 07:30