ldap tls question
Ken Hornstein
kenneth.hornstein.ctr at nrl.navy.mil
Fri Apr 17 12:48:59 EDT 2026
>this seems usable. So I suppose when I set ldaps instead of
>ldap, kerberos should stop working until I set LDAPTLS_CACERT in
>/etc/sysconfig/krb5kdc right? (I am using Fedora 43.)
I believe that is correct, yes, assuming it can't verify the certificate
using the OS certificate store.
>The start_tls is not possible with MIT kerberos, right?
Assuming you're using the OpenLDAP libraries, my reading of the
code is that if ldap_new_connection() sees that the server supports
start_tls then it will automatically attempt it. _However_ ... it
will not require that start_tls succeeds like the "-ZZ" option to
the command-line utilities. So you would be vulnerable to an active
downgrade attack by a rogue server. So I believe the answer is, "It
will probably work, but you shouldn't use it in this case". There does
not seem to be a client-side configuration setting that would enforce
the use of start_tls, which is kind of unfortunate. You can do that
on the _server_, but again doesn't help you with a rogue server and an
active downgrade attack.
--Ken
More information about the Kerberos
mailing list