[39605] in Kerberos
RE: ldap tls question
daemon@ATHENA.MIT.EDU (Brent Kimberley via Kerberos)
Thu Apr 16 13:54:15 2026
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>,
=?utf-8?B?TWFyZWsgR3JlxaFrbw==?=
<marek.gresko@protonmail.com>
CC: "kerberos@mit.edu" <kerberos@mit.edu>
Date: Thu, 16 Apr 2026 17:54:02 +0000
Message-ID: <YQBPR0101MB8463BB6CB69E8AE87459833AFA232@YQBPR0101MB8463.CANPRD01.PROD.OUTLOOK.COM>
In-Reply-To: <202604161751.63GHpDxD011017@hedwig.cmf.nrl.navy.mil>
Content-Language: en-US
MIME-Version: 1.0
From: Brent Kimberley via Kerberos <kerberos@mit.edu>
Reply-To: Brent Kimberley <Brent.Kimberley@Durham.ca>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
>> I personally wouldn't say ldaps is "much more secure" than start_tls
What if you add tls 1.3 channel binding?
-----Original Message-----
From: Kerberos <kerberos-bounces@mit.edu> On Behalf Of Ken Hornstein via Kerberos
Sent: April 16, 2026 1:51 PM
To: Marek Greško <marek.gresko@protonmail.com>
Cc: kerberos@mit.edu
Subject: Re: ldap tls question
⚠️CAUTION: This email is from an external source. Verify sender before opening links and attachments.⚠️
>In the matter of security there is the non answered second part of the
>question. How to verify server certificate even when using ldaps? I see
>no option to specify CA certificate or demanding server certificate
>verification.
FWIW, I personally wouldn't say ldaps is "much more secure" than start_tls, but fine, it's not something I care to argue about. But my memory is that at least with OpenLDAP there is a configuration file where you can specify all of these things. Also since OpenLDAP links against a separate TLS library you could put server CA certificates in the "usual place" where the TLS library implementation looks for those things. We use a non-public PKI infrastructure for our LDAP server and we put those server certificates in the appropriate place for the operating system and it Just Works.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege have been waived. If you are not the intended recipient, you are hereby notified that any review, re-transmission, dissemination, distribution, copying, conversion to hard copy, taking of action in reliance on or other use of this communication is strictly prohibited. If you are not the intended recipient and have received this message in error, please notify me by return e-mail and delete or destroy all copies of this message.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
