ldap tls question

Marek Greško marek.gresko at protonmail.com
Thu Apr 16 13:41:35 EDT 2026 

Hello,

the much more secure is a subject for discussion, since you can demand server certificate usualy to verify. I suppose it is not possible in kerberos?

In the matter of security there is the non answered second part of the question. How to verify server certificate even when using ldaps? I see no option to specify CA certificate or demanding server certificate verification.

Thanks

Marek




Odoslané pomocou bezpečného emailu Proton Mail.

štvrtok 16. apríla 2026, 18:58, Stefan Kania <stefan at kania-online.de> napísal/a:

> Hi,
> 
> you shoud not use start_tls because ssl (ldaps) is much more secure. Here is the part from my configuration:
> 
> [dbmodules]
>          ldapconf = {
>                  db_library = kldap
>                  ldap_kerberos_container_dn = "cn=kerberos,dc=example,dc=net"
>                  ldap_kdc_dn = "cn=kdc,ou=kerberos-adm,dc=example,dc=net"
>                  ldap_kadmind_dn = "cn=kadmin,ou=kerberos-adm,dc=example,dc=net"
>                  ldap_service_password_file = "/etc/krb5kdc/service.keyfile"
>                  ldap_servers = "ldaps://provider01.example.net"
>                  ldap_conns_per_server = 5
>                  }
> If you need more then one ldap-server you can have a list separated by blanks-
> 
> Am 16.04.26 um 09:18 schrieb Marek Greško via Kerberos:
> > Hello,
> >
> > I use mit kerberos with ldap backend. I have defined ldap_servers in dbmodule to ldap://FQDN. Since this is a local host it is not a problem. But I am interested in how to configure it correctly if the ldap server is not local and I want to use start_tls on ldap instead od ssl on ldaps. Also I am interested in how can I specify CA certificate file for either start_tls or ssl and how ro require certificate verification. I cannot see option for these settings in manuals.
> >
> > Thanks
> >
> > Marek
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> --
> Stefan Kania
> Landweg 13
> 25693 St. Michaelisdonn
> 
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list