Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

kerberos with connection to tls openldap

18 views
Skip to first unread message

Augustin Wolf

unread,
May 15, 2013, 1:34:42 PM5/15/13
to kerb...@mit.edu
Hi,
I have a problem that I believe isn't very common. I'm trying to use
OpenLDAP as an back-end database for kerberos.
As far as I managed to create realm, and add principals, I would like
to secure a LDAP a bit.
I added LDAP option: security ssf=128, and it enforces encryption. It
works well for ldapsearch - without option "-Z" I got message:
Confidentiality required
This is also the case when I try to obtain ticket:

[user@virtual ]# kinit
kinit: Generic error (see e-text) while getting initial credentials

in krb5kdc logs I got:
May 15 00:24:43 virtual.example.com krb5kdc[1845](info): AS_REQ (4
etypes {18 17 16 23}) 127.0.0.1: LOOKING_UP_CLIENT: us...@EXAMPLE.COM
for krbtgt/EXAMP...@EXAMPLE.COM, LDAP handle unavailable:
Confidentiality required

Is there a way to enforce kerberos to use TLS/SSL while communicating
to OpenLDAP?

Best Regards,
Augustyn

Greg Hudson

unread,
May 15, 2013, 3:38:37 PM5/15/13
to kerb...@mit.edu
On 05/15/2013 01:34 PM, Augustin Wolf wrote:
> Is there a way to enforce kerberos to use TLS/SSL while communicating
> to OpenLDAP?

You can use an ldaps:// URL, and specify TLS parameters in ldap.conf(5)
if any are needed.

We don't yet support using StartTLS over the regular LDAP port.

Chris Hecker

unread,
May 16, 2013, 12:36:08 AM5/16/13
to kerb...@mit.edu

Any progress on getting the client cert SASL EXTERNAL stuff in so we
don't need a password on the two accounts? I know there was a patch for
this posted a while back that was too verbose for your liking...

Chris
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

Greg Hudson

unread,
May 16, 2013, 12:58:19 AM5/16/13
to Chris Hecker, kerb...@mit.edu
On 05/16/2013 12:36 AM, Chris Hecker wrote:
> Any progress on getting the client cert SASL EXTERNAL stuff in so we
> don't need a password on the two accounts?

I made some progress a few months ago; I added automated tests for the
LDAP KDB module and started writing a project page to help nail down the
user-visible configuration options we want to have. The remaining
amount of work isn't too daunting, but I don't know when I'll be able to
allocate time for it.

0 new messages