Problem with LDAP Referrals and Kerberos LDAP Backend
Christopher Racky
christopher.racky at web.de
Sun Jan 5 11:18:18 EST 2014
Hello together,
It seems that not much people use LDAP Referal together with MIT
Kerberos.
Never the less the missing support ("feature") is something I really
need.
Is it possible that anybody of the developers adds this functionality?
If not: Greg, could you please precise the places or try to add it? I
can do the necessary tests.
Best regards
Chris
On 11/03/2013 03:13 PM, Christopher Racky wrote:
> I don't understand why this behavior is expected. For my opinion
this
> is a bug.
It's simplest to think of this as a missing feature. If I read the
code
correctly, callers of the OpenLDAP library follow referrals using
anonymous binds by default. With additional effort, callers can
control
how referrals bind.
Although I believe I know roughly how the preferred behavior could be
implemented, it would not be trivial to develop or test, so I can't
give
you any guarantees as to when it might happen.
-
Hello Greg,
Thank you very much for your reply.
I don't understand why this behavior is expected. For my opinion this
is a bug.
I would expect that after processsing referrals the same credentials
are still reused.
Is that a missunderstanding on my side?
If not: it seems to be, that you know very exactly the place where
this must be fixed.
I'm not sure if you are a developer. If yes, do you think you could
merge this into the next Kerberos source-code patches / updates.
Thank you very much for your help,
best regards
Chris
On 10/24/2013 05:50 PM, Greg Hudson wrote:
> This works great with the Solaris (modified) Kerberos Release, but
> with Linux we have the following issue:
[...]
> KDC or KADMIN follow the LDAP referral but do not bind (LDAP)
using a
> defined users (ldap_kdc_dn, ldap_kadmind_dn); instead an
anonymous
> LDAP-bind is performed.
After looking at the OpenLDAP code for processing referrals, I think
this is expected behavior since we never call ldap_set_rebind_proc()
on
the LDAP handle. So I think we would need code changes in order to
support this scenario.
I don't know how this works for you in Solaris Kerberos. They appear
to
use a different LDAP library, but it still seems to require an
ldap_set_rebind_proc() call in order to do non-anonymous binds when
following referrals. I looked at an old version of their Kerberos
code
and they don't appear to have added a call to that function.
.
More information about the Kerberos
mailing list