Problem with LDAP Referrals and Kerberos LDAP Backend

Christopher Racky christopher.racky at web.de
Sun Jan 5 11:18:18 EST 2014


   Hello together,

   It seems that not much people use LDAP Referal together with MIT
   Kerberos.
   Never the less the missing support ("feature") is something I really
   need.

   Is it possible that anybody of the developers adds this functionality?
   If not: Greg, could you please precise the places or try to add it? I
   can do the necessary tests.

   Best regards
   Chris


   On 11/03/2013 03:13 PM, Christopher Racky wrote:
   >    I don't understand why this behavior is expected. For my opinion
   this
   >    is a bug.
   It's simplest to think of this as a missing feature.  If I read the
   code
   correctly, callers of the OpenLDAP library follow referrals using
   anonymous binds by default.  With additional effort, callers can
   control
   how referrals bind.
   Although I believe I know roughly how the preferred behavior could be
   implemented, it would not be trivial to develop or test, so I can't
   give
   you any guarantees as to when it might happen.

   -

   Hello Greg,
   Thank you very much for your reply.
   I don't understand why this behavior is expected. For my opinion this
   is a bug.
   I would expect that after processsing referrals the same credentials
   are still reused.
   Is that a missunderstanding on my side?

   If not: it seems to be, that you know very exactly the place where
   this must be fixed.
   I'm not sure if you are a developer. If yes, do you think you could
   merge this into the next Kerberos source-code patches / updates.

   Thank you very much for your help,
   best regards
   Chris



   On 10/24/2013 05:50 PM, Greg Hudson wrote:
   > This works great with the Solaris (modified) Kerberos Release, but
   >    with Linux we have the following issue:
   [...]
   >    KDC or KADMIN follow the LDAP referral but do not bind (LDAP)
   using a
   >    defined users (ldap_kdc_dn, ldap_kadmind_dn); instead an
   anonymous
   >    LDAP-bind is performed.
   After looking at the OpenLDAP code for processing referrals, I think
   this is expected behavior since we never call ldap_set_rebind_proc()
   on
   the LDAP handle.  So I think we would need code changes in order to
   support this scenario.
   I don't know how this works for you in Solaris Kerberos.  They appear
   to
   use a different LDAP library, but it still seems to require an
   ldap_set_rebind_proc() call in order to do non-anonymous binds when
   following referrals.  I looked at an old version of their Kerberos
   code
   and they don't appear to have added a call to that function.
   .


More information about the Kerberos mailing list