Problem with LDAP Referrals and Kerberos LDAP Backend
Christopher Racky
christopher.racky at web.de
Sun Nov 3 15:13:19 EST 2013
Hello Greg,
Thank you very much for your reply.
I don't understand why this behavior is expected. For my opinion this
is a bug.
I would expect that after processsing referrals the same credentials
are still reused.
Is that a missunderstanding on my side?
If not: it seems to be, that you know very exactly the place where
this must be fixed.
I'm not sure if you are a developer. If yes, do you think you could
merge this into the next Kerberos source-code patches / updates.
Thank you very much for your help,
best regards
Chris
On 10/24/2013 05:50 PM, Greg Hudson wrote:
> This works great with the Solaris (modified) Kerberos Release, but
> with Linux we have the following issue:
[...]
> KDC or KADMIN follow the LDAP referral but do not bind (LDAP)
using a
> defined users (ldap_kdc_dn, ldap_kadmind_dn); instead an
anonymous
> LDAP-bind is performed.
After looking at the OpenLDAP code for processing referrals, I think
this is expected behavior since we never call ldap_set_rebind_proc()
on
the LDAP handle. So I think we would need code changes in order to
support this scenario.
I don't know how this works for you in Solaris Kerberos. They appear
to
use a different LDAP library, but it still seems to require an
ldap_set_rebind_proc() call in order to do non-anonymous binds when
following referrals. I looked at an old version of their Kerberos
code
and they don't appear to have added a call to that function.
More information about the Kerberos
mailing list