ldap tls question

Marek Greško marek.gresko at protonmail.com
Fri Apr 17 01:26:41 EDT 2026 

Hello,

this seems usable. So I suppose when I set ldaps instead of ldap, kerberos should stop working until I set LDAPTLS_CACERT in /etc/sysconfig/krb5kdc right? (I am using Fedora 43.)

The start_tls is not possible with MIT kerberos, right?

Thanks

Marek



Odoslané pomocou bezpečného emailu Proton Mail.

štvrtok 16. apríla 2026, 20:09, Carson Gaspar <carson at taltos.org> napísal/a:

> On 4/16/2026 11:51 AM, Ken Hornstein via Kerberos wrote:
> >> In the matter of security there is the non answered second part of the
> >> question. How to verify server certificate even when using ldaps? I see
> >> no option to specify CA certificate or demanding server certificate
> >> verification.
> > FWIW, I personally wouldn't say ldaps is "much more secure" than start_tls,
> > but fine, it's not something I care to argue about.  But my memory is that
> > at least with OpenLDAP there is a configuration file where you can specify
> > all of these things.  Also since OpenLDAP links against a separate TLS
> > library you could put server CA certificates in the "usual place" where
> > the TLS library implementation looks for those things.  We use a non-public
> > PKI infrastructure for our LDAP server and we put those server certificates
> > in the appropriate place for the operating system and it Just Works.
> 
> Using the "usual place" is questionable, as it includes the mass of
> Internet CAs. If you trust them to never issue certs for your LDAP
> server name, fine. I'm less sanguine about the security of random CAs
> (and there have been multiple past incidents of bogus certs being issued).
> 
> To control the additional LDAP options, you can either set environment
> variables in your krb5kdc process, or set up an ldaprc / ldapconf file.
> 
> So either set LDAPTLS_CACERT / LDAPTLS_CACERTDIR env vars, or the
> TLS_CACERT / TLS_CACERTDIR options in ldaprc. You can also set TLS_CERT
> / TLS_KEY to use an X.509 client cert for AuthN.
> 
> To specify a location for an ldaprc file, set HOME and LDAPRC env vars,
> or specify LDAPCONF. You may also want to set LDAPNOINIT. Some options
> can't be set in an ldap.conf file.
> 
> I wish krb5kdc exposed a mechanism to set arbitrary OpenLDAP options,
> but the above should do what you want.
> 
> --
> 
> Carson
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list