[39603] in Kerberos


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: ldap tls question

daemon@ATHENA.MIT.EDU (=?utf-8?q?Marek_Gre=C5=A1ko_via_Ke)
Thu Apr 16 13:43:06 2026

Date: Thu, 16 Apr 2026 17:41:35 +0000
To: Stefan Kania <stefan@kania-online.de>
Cc: kerberos@mit.edu
Message-ID: <2RH3GYkEDBmjMDxLJsjghgpQAkG9mUTF6QxzVniJwlJCNb3RbQS7J2ou6rVVzo6_1Jex9k6cAY7rN-X2eQROFywXll6wcObpkPdOVKe9mTs=@protonmail.com>
In-Reply-To: <68c35ef9-8303-464f-afec-00305a30a08f@kania-online.de>
MIME-Version: 1.0
From: =?utf-8?q?Marek_Gre=C5=A1ko_via_Kerberos?= <kerberos@mit.edu>
Reply-To: =?utf-8?Q?Marek_Gre=C5=A1ko?= <marek.gresko@protonmail.com>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit

Hello,

the much more secure is a subject for discussion, since you can demand server certificate usualy to verify. I suppose it is not possible in kerberos?

In the matter of security there is the non answered second part of the question. How to verify server certificate even when using ldaps? I see no option to specify CA certificate or demanding server certificate verification.

Thanks

Marek




Odoslané pomocou bezpečného emailu Proton Mail.

štvrtok 16. apríla 2026, 18:58, Stefan Kania <stefan@kania-online.de> napísal/a:

> Hi,
> 
> you shoud not use start_tls because ssl (ldaps) is much more secure. Here is the part from my configuration:
> 
> [dbmodules]
>          ldapconf = {
>                  db_library = kldap
>                  ldap_kerberos_container_dn = "cn=kerberos,dc=example,dc=net"
>                  ldap_kdc_dn = "cn=kdc,ou=kerberos-adm,dc=example,dc=net"
>                  ldap_kadmind_dn = "cn=kadmin,ou=kerberos-adm,dc=example,dc=net"
>                  ldap_service_password_file = "/etc/krb5kdc/service.keyfile"
>                  ldap_servers = "ldaps://provider01.example.net"
>                  ldap_conns_per_server = 5
>                  }
> If you need more then one ldap-server you can have a list separated by blanks-
> 
> Am 16.04.26 um 09:18 schrieb Marek Greško via Kerberos:
> > Hello,
> >
> > I use mit kerberos with ldap backend. I have defined ldap_servers in dbmodule to ldap://FQDN. Since this is a local host it is not a problem. But I am interested in how to configure it correctly if the ldap server is not local and I want to use start_tls on ldap instead od ssl on ldaps. Also I am interested in how can I specify CA certificate file for either start_tls or ssl and how ro require certificate verification. I cannot see option for these settings in manuals.
> >
> > Thanks
> >
> > Marek
> > ________________________________________________
> > Kerberos mailing list           Kerberos@mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> --
> Stefan Kania
> Landweg 13
> 25693 St. Michaelisdonn
> 
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[39603] in Kerberos

Re: ldap tls question

daemon@ATHENA.MIT.EDU (=?utf-8?q?Marek_Gre=C5=A1ko_via_Ke)Thu Apr 16 13:43:06 2026

daemon@ATHENA.MIT.EDU (=?utf-8?q?Marek_Gre=C5=A1ko_via_Ke)
Thu Apr 16 13:43:06 2026