[39607] in Kerberos
Re: ldap tls question
daemon@ATHENA.MIT.EDU (Carson Gaspar)
Thu Apr 16 14:08:53 2026
Message-ID: <5009a24a-25c2-4f32-81d8-495c31d98667@taltos.org>
Date: Thu, 16 Apr 2026 12:07:32 -0600
MIME-Version: 1.0
To: kerberos@mit.edu
Content-Language: en-US
From: Carson Gaspar <carson@taltos.org>
In-Reply-To: <202604161751.63GHpDxD011017@hedwig.cmf.nrl.navy.mil>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: kerberos-bounces@mit.edu
On 4/16/2026 11:51 AM, Ken Hornstein via Kerberos wrote:
>> In the matter of security there is the non answered second part of the
>> question. How to verify server certificate even when using ldaps? I see
>> no option to specify CA certificate or demanding server certificate
>> verification.
> FWIW, I personally wouldn't say ldaps is "much more secure" than start_tls,
> but fine, it's not something I care to argue about. But my memory is that
> at least with OpenLDAP there is a configuration file where you can specify
> all of these things. Also since OpenLDAP links against a separate TLS
> library you could put server CA certificates in the "usual place" where
> the TLS library implementation looks for those things. We use a non-public
> PKI infrastructure for our LDAP server and we put those server certificates
> in the appropriate place for the operating system and it Just Works.
Using the "usual place" is questionable, as it includes the mass of
Internet CAs. If you trust them to never issue certs for your LDAP
server name, fine. I'm less sanguine about the security of random CAs
(and there have been multiple past incidents of bogus certs being issued).
To control the additional LDAP options, you can either set environment
variables in your krb5kdc process, or set up an ldaprc / ldapconf file.
So either set LDAPTLS_CACERT / LDAPTLS_CACERTDIR env vars, or the
TLS_CACERT / TLS_CACERTDIR options in ldaprc. You can also set TLS_CERT
/ TLS_KEY to use an X.509 client cert for AuthN.
To specify a location for an ldaprc file, set HOME and LDAPRC env vars,
or specify LDAPCONF. You may also want to set LDAPNOINIT. Some options
can't be set in an ldap.conf file.
I wish krb5kdc exposed a mechanism to set arbitrary OpenLDAP options,
but the above should do what you want.
--
Carson
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
