ldap tls question
Stefan Kania
stefan at kania-online.de
Thu Apr 16 12:00:44 EDT 2026
Hi,
you shoud not use start_tls because ssl (ldaps) is much more secure. Here is the part from my configuration:
[dbmodules]
ldapconf = {
db_library = kldap
ldap_kerberos_container_dn = "cn=kerberos,dc=example,dc=net"
ldap_kdc_dn = "cn=kdc,ou=kerberos-adm,dc=example,dc=net"
ldap_kadmind_dn = "cn=kadmin,ou=kerberos-adm,dc=example,dc=net"
ldap_service_password_file = "/etc/krb5kdc/service.keyfile"
ldap_servers = "ldaps://provider01.example.net"
ldap_conns_per_server = 5
}
If you need more then one ldap-server you can have a list separated by blanks-
Am 16.04.26 um 09:18 schrieb Marek Greško via Kerberos:
> Hello,
>
> I use mit kerberos with ldap backend. I have defined ldap_servers in dbmodule to ldap://FQDN. Since this is a local host it is not a problem. But I am interested in how to configure it correctly if the ldap server is not local and I want to use start_tls on ldap instead od ssl on ldaps. Also I am interested in how can I specify CA certificate file for either start_tls or ssl and how ro require certificate verification. I cannot see option for these settings in manuals.
>
> Thanks
>
> Marek
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Stefan Kania
Landweg 13
25693 St. Michaelisdonn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4402 bytes
Desc: Kryptografische S/MIME-Signatur
URL: <http://mailman.mit.edu/pipermail/kerberos/attachments/20260416/96f01558/attachment.p7s>
More information about the Kerberos
mailing list