Problem with LDAP Referrals and Kerberos LDAP Backend

Christopher Racky christopher.racky at
Sun Nov 3 15:13:19 EST 2013

   Hello Greg,
   Thank you very much for your reply.
   I don't understand why this behavior is expected. For my opinion this
   is a bug.
   I would expect that after processsing referrals the same credentials
   are still reused.
   Is that a missunderstanding on my side?

   If not: it seems to be, that you know very exactly the place where
   this must be fixed.
   I'm not sure if you are a developer. If yes, do you think you could
   merge this into the next Kerberos source-code patches / updates.

   Thank you very much for your help,
   best regards

   On 10/24/2013 05:50 PM, Greg Hudson wrote:
   > This works great with the Solaris (modified) Kerberos Release, but
   >    with Linux we have the following issue:
   >    KDC or KADMIN follow the LDAP referral but do not bind (LDAP)
   using a
   >    defined users (ldap_kdc_dn, ldap_kadmind_dn); instead an
   >    LDAP-bind is performed.
   After looking at the OpenLDAP code for processing referrals, I think
   this is expected behavior since we never call ldap_set_rebind_proc()
   the LDAP handle.  So I think we would need code changes in order to
   support this scenario.
   I don't know how this works for you in Solaris Kerberos.  They appear
   use a different LDAP library, but it still seems to require an
   ldap_set_rebind_proc() call in order to do non-anonymous binds when
   following referrals.  I looked at an old version of their Kerberos
   and they don't appear to have added a call to that function.

More information about the Kerberos mailing list