SASL/GSSAPI bind in LDAP plugin?

Nicolas Williams Nicolas.Williams at
Wed Feb 15 18:27:52 EST 2006

On Wed, Feb 15, 2006 at 12:34:40PM -0500, Sam Hartman wrote:
> I think that what you want to do is have at least one KDC on a
> directory server and use SASL external with a unix domain socket.


Bootstrapping this is difficult.

Using TLS has its issues.  Either you setup a PKI, or you use
self-signed certs, and then you need a way to distribute the certs so
you don't have to visit every KDC every time a DS cert is added/revoked.

Using Kerberos V presents a chicken-egg problem that can be solved by
either relying on other KDCs being up (ugh) or on keeping copies of the
DS host keys on the KDCs (also ugh), which in turn requires keeping
those up to date on re-keys.

Using DIGEST-MD5 would work...  Just give every KDC a randomized
password and let them use that to get the KDB entries they need to
properly do a LDAP SASL/GSSAPI bind to the DSs and re-bind.



More information about the krbdev mailing list