kdc ldap referral handling strangeness
Greg Hudson
ghudson at MIT.EDU
Sun Mar 18 22:22:27 EDT 2012
On 03/15/2012 11:45 AM, Kevan Carstensen wrote:
> Ideally, I'd like for the kdc to catch the referral, verify that it
> points to the master slapd or some permissible slapd (to avoid malicious
> referrals that could cause the kdc to disclose the credentials for the
> service principal or some other bad thing)
Can you explain how a "malicious referral" could come about? If the
communication channel between slapd and the KDC isn't secure, there are
lots of other attacks.
> then bind to the master
> slapd and attempt to perform the modification there.
Would it then go back to the original connection for subsequent
operations? (I assume so; otherwise, you may as well just point the
slave KDCs at the master LDAP server, as they'd wind up there soon enough.)
More information about the Kerberos
mailing list