Problem with LDAP Referrals and Kerberos LDAP Backend
Greg Hudson
ghudson at MIT.EDU
Thu Oct 24 11:50:47 EDT 2013
On 10/23/2013 04:17 PM, Christopher Racky wrote:
> This works great with the Solaris (modified) Kerberos Release, but
> with Linux we have the following issue:
[...]
> KDC or KADMIN follow the LDAP referral but do not bind (LDAP) using a
> defined users (ldap_kdc_dn, ldap_kadmind_dn); instead an anonymous
> LDAP-bind is performed.
After looking at the OpenLDAP code for processing referrals, I think
this is expected behavior since we never call ldap_set_rebind_proc() on
the LDAP handle. So I think we would need code changes in order to
support this scenario.
I don't know how this works for you in Solaris Kerberos. They appear to
use a different LDAP library, but it still seems to require an
ldap_set_rebind_proc() call in order to do non-anonymous binds when
following referrals. I looked at an old version of their Kerberos code
and they don't appear to have added a call to that function.
More information about the Kerberos
mailing list