[39604] in Kerberos
Re: ldap tls question
daemon@ATHENA.MIT.EDU (Ken Hornstein via Kerberos)
Thu Apr 16 13:51:48 2026
Message-Id: <202604161751.63GHpDxD011017@hedwig.cmf.nrl.navy.mil>
To: =?utf-8?Q?Marek_Gre=C5=A1ko?= <marek.gresko@protonmail.com>
cc: kerberos@mit.edu
In-Reply-To: <2RH3GYkEDBmjMDxLJsjghgpQAkG9mUTF6QxzVniJwlJCNb3RbQS7J2ou6rVVzo6_1Jex9k6cAY7rN-X2eQROFywXll6wcObpkPdOVKe9mTs=@protonmail.com>
MIME-Version: 1.0
Date: Thu, 16 Apr 2026 13:51:12 -0400
From: Ken Hornstein via Kerberos <kerberos@mit.edu>
Reply-To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>In the matter of security there is the non answered second part of the
>question. How to verify server certificate even when using ldaps? I see
>no option to specify CA certificate or demanding server certificate
>verification.
FWIW, I personally wouldn't say ldaps is "much more secure" than start_tls,
but fine, it's not something I care to argue about. But my memory is that
at least with OpenLDAP there is a configuration file where you can specify
all of these things. Also since OpenLDAP links against a separate TLS
library you could put server CA certificates in the "usual place" where
the TLS library implementation looks for those things. We use a non-public
PKI infrastructure for our LDAP server and we put those server certificates
in the appropriate place for the operating system and it Just Works.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
