[39610] in Kerberos
Re: ldap tls question
daemon@ATHENA.MIT.EDU (=?utf-8?q?Marek_Gre=C5=A1ko_via_Ke)
Fri Apr 17 01:28:08 2026
Date: Fri, 17 Apr 2026 05:26:41 +0000
To: Carson Gaspar <carson@taltos.org>
Cc: kerberos@mit.edu
Message-ID: <D61lD9LkWTQEBLAJXk-qkrqiSi_mHOIXexnesv33xWeQx_5065aJGJvdpe3iLsbXeI_N66sH4txPj5WLCEaJPJMksoFAVsJiyybYfDxE5y4=@protonmail.com>
In-Reply-To: <5009a24a-25c2-4f32-81d8-495c31d98667@taltos.org>
MIME-Version: 1.0
From: =?utf-8?q?Marek_Gre=C5=A1ko_via_Kerberos?= <kerberos@mit.edu>
Reply-To: =?utf-8?Q?Marek_Gre=C5=A1ko?= <marek.gresko@protonmail.com>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hello,
this seems usable. So I suppose when I set ldaps instead of ldap, kerberos should stop working until I set LDAPTLS_CACERT in /etc/sysconfig/krb5kdc right? (I am using Fedora 43.)
The start_tls is not possible with MIT kerberos, right?
Thanks
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 16. apríla 2026, 20:09, Carson Gaspar <carson@taltos.org> napísal/a:
> On 4/16/2026 11:51 AM, Ken Hornstein via Kerberos wrote:
> >> In the matter of security there is the non answered second part of the
> >> question. How to verify server certificate even when using ldaps? I see
> >> no option to specify CA certificate or demanding server certificate
> >> verification.
> > FWIW, I personally wouldn't say ldaps is "much more secure" than start_tls,
> > but fine, it's not something I care to argue about. But my memory is that
> > at least with OpenLDAP there is a configuration file where you can specify
> > all of these things. Also since OpenLDAP links against a separate TLS
> > library you could put server CA certificates in the "usual place" where
> > the TLS library implementation looks for those things. We use a non-public
> > PKI infrastructure for our LDAP server and we put those server certificates
> > in the appropriate place for the operating system and it Just Works.
>
> Using the "usual place" is questionable, as it includes the mass of
> Internet CAs. If you trust them to never issue certs for your LDAP
> server name, fine. I'm less sanguine about the security of random CAs
> (and there have been multiple past incidents of bogus certs being issued).
>
> To control the additional LDAP options, you can either set environment
> variables in your krb5kdc process, or set up an ldaprc / ldapconf file.
>
> So either set LDAPTLS_CACERT / LDAPTLS_CACERTDIR env vars, or the
> TLS_CACERT / TLS_CACERTDIR options in ldaprc. You can also set TLS_CERT
> / TLS_KEY to use an X.509 client cert for AuthN.
>
> To specify a location for an ldaprc file, set HOME and LDAPRC env vars,
> or specify LDAPCONF. You may also want to set LDAPNOINIT. Some options
> can't be set in an ldap.conf file.
>
> I wish krb5kdc exposed a mechanism to set arbitrary OpenLDAP options,
> but the above should do what you want.
>
> --
>
> Carson
>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
