ldap tls question
Marek Greško
marek.gresko at protonmail.com
Sat Apr 18 07:49:47 EDT 2026
Hello Ken,
thanks for detailed analysis.
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
piatok 17. apríla 2026, 18:49, Ken Hornstein <kenneth.hornstein.ctr at nrl.navy.mil> napísal/a:
> >this seems usable. So I suppose when I set ldaps instead of
> >ldap, kerberos should stop working until I set LDAPTLS_CACERT in
> >/etc/sysconfig/krb5kdc right? (I am using Fedora 43.)
>
> I believe that is correct, yes, assuming it can't verify the certificate
> using the OS certificate store.
>
> >The start_tls is not possible with MIT kerberos, right?
>
> Assuming you're using the OpenLDAP libraries, my reading of the
> code is that if ldap_new_connection() sees that the server supports
> start_tls then it will automatically attempt it. _However_ ... it
> will not require that start_tls succeeds like the "-ZZ" option to
> the command-line utilities. So you would be vulnerable to an active
> downgrade attack by a rogue server. So I believe the answer is, "It
> will probably work, but you shouldn't use it in this case". There does
> not seem to be a client-side configuration setting that would enforce
> the use of start_tls, which is kind of unfortunate. You can do that
> on the _server_, but again doesn't help you with a rogue server and an
> active downgrade attack.
>
> --Ken
>
More information about the Kerberos
mailing list