kerberos with connection to tls openldap

Augustin Wolf augustynwilk at
Wed May 15 13:34:42 EDT 2013

I have a problem that I believe isn't very common. I'm trying to use
OpenLDAP as an back-end database for kerberos.
As far as I managed to create realm, and add principals, I would like
to secure a LDAP a bit.
I added LDAP option: security ssf=128, and it enforces encryption. It
works well for ldapsearch - without option "-Z" I got message:
Confidentiality required
This is also the case when I try to obtain ticket:

[user at virtual ]# kinit
kinit: Generic error (see e-text) while getting initial credentials

in krb5kdc logs I got:
May 15 00:24:43 krb5kdc[1845](info): AS_REQ (4
etypes {18 17 16 23}) LOOKING_UP_CLIENT: user at EXAMPLE.COM
for krbtgt/EXAMPLE.COM at EXAMPLE.COM, LDAP handle unavailable:
Confidentiality required

Is there a way to enforce kerberos to use TLS/SSL while communicating
to OpenLDAP?

Best Regards,

More information about the Kerberos mailing list