OpenLDAP backend with StartTLS
Chris Hecker
checker at d6.com
Tue Oct 4 00:57:30 EDT 2011
I stuff the LDAP env vars before I start krb5kdc:
/etc/sysconfig$ cat krb5kdc
KRB5KDC_ARGS=
KRB5REALM=
LDAPTLS_CERT=/var/cosign/crt/ldap-client-krbkdc.crt; export LDAPTLS_CERT
LDAPTLS_KEY=/var/cosign/crt/ldap-client-krbkdc.key; export LDAPTLS_KEY
LDAPSASL_MECH=EXTERNAL; export LDAPSASL_MECH
DAEMON_COREFILE_LIMIT=unlimited
I can test this by setting them in the shell and using
ldapvi -d -Y EXTERNAL
and it'll tell you who you're connected as, which comes from the
CN=blah,O=blah in the certs. Then, you have to set up your dbmodules in
kdc.conf.
Chris
On 2011/10/03 10:35, Tom Parker wrote:
> Good Afternoon.
>
> I am having problems getting my krb5kdc to talk to an LDAP server
> protected with StartTLS on port 389.
>
> I am not sure how to tell my kdc in kdc.conf to use TLS with a specific
> CA certificate.
>
> Is this possible and if so how.
>
> Thanks a lot.
>
> Tom Parker
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list