[krbdev.mit.edu #7754] LDAP KDB module uses anonymous bind when following referrals
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Mon Nov 4 11:25:08 EST 2013
The LDAP KDB module uses OpenLDAP or a similar library. If the module
performs a search or update which results in a referral to another
server, the referral is handled internally by the library. By default,
the library makes an anonymous bind to the new server. This is not
useful in most scenarios where one would want to use referrals for a
Kerberos database, because it is rarely appropriate to make Kerberos data
available to anonymous clients.
We can control how referral binds take place by calling
ldap_set_rebind_proc with an appropriate callback. We should probably
set a callback which uses the same credentials as we use to bind to the
initial server.
More information about the krb5-bugs
mailing list