Is traffic subsequent to a SASL/GSSAPI bind encrypted?

Question

When making a SASL/GSSAPI bind to an LDAP server over port 389 (ldap:///), after the authentication is finished is the resulting LDAP traffic encrypted? If so, is there a document or RFC that describes this?

Assume that no STARTLS command is issued by the client.

Note that the question "Is it secure to be using LDAP, or is LDAPS the only secure option?" mentions some ways to secure an LDAP connection but does not address the question of whether or not connecting via SASL/GSSAPI encrypts subsequent data communications.

Answer 1

Unless you are explicitly using LDAPS on port 636 or TLS over 389, then you are not using encryption. You can verify this with a quick packet capture. I wouldn't even trust that your authentication credentials are protected, but I am not aware of what protections that exist there.

Edit: I may be wrong. It appears that there are some modes of SASL that provide some confidentiality (source):

In additional to authentication, some SASL mechanisms support integrity and privacy protection of the communication channel after successful authentication. With integrity protection, subsequent LDAP requests and responses are protected against tampering. With privacy protection, subsequent LDAP requests and responses are encrypted and therefore protected against unintended monitoring. Privacy protection automatically entails integrity protection. These different types of protection are referred to as the quality of protection (qop). It is negotiated between the client and server during the authentication phase of the SASL exchange. If the client and server cannot negotiate a common qop, then the SASL authentication fails.

That said, I do not know how thorough this protection is. See this answer for a more in depth look.