Hosting Provided By

Re: KerberLDAP (Re: openbsd yp security)

From: Bob Beck <beck(at)bofh.ucs.ualberta.ca>
Date: Fri Jan 31 2003 - 11:17:49 EST

>No need for stunnel; OpenLDAP directly supports encrypted sessions.

You're missing the point chris. SSL session startup and teardown is expensive, and LDAP sessions (particularly when used for authentication) are short lived. You pay a big price for the setup and teardown of each session to your LDAP server. Fine if you don't have many authentications against it, but (like in my case) when you can get tens of thousands of authentications per minute, it'll suck big time. That's why we still use kerberos auth directly for things (like really busy authenticated web servers) that constantly reauthenticate. I look at the number of authentications in an hour on the kerberos severs and run screaming at the thought of trying to do that against an SSL-ized OpenLDAP. SSLtunnel or Ipsec means you have don't have the expensive session setup and teardown for each authentication.

-Bob Received on Fri Jan 31 11:19:13 2003

This message: [ Message body ]
Next message: dreamwvr(at)dreamwvr.com: "Re: recent security changes in openbsd"
Previous message: Elijah Savage III: "Motherboard help PLEASE"
In reply to Chris Hedemark: "Re: KerberLDAP (Re: openbsd yp security)"
Next in thread: dreamwvr(at)dreamwvr.com: "Re: KerberLDAP (Re: openbsd yp security)"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:32:40 EDT