Groups | Search | Server Info | Login | Register

Groups > comp.protocols.kerberos > #5477

Re: ldap tls question

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

Hi,

you shoud not use start_tls because ssl (ldaps) is much more secure. Here is the part from my configuration:

[dbmodules]
         ldapconf = {
                 db_library = kldap
                 ldap_kerberos_container_dn = "cn=kerberos,dc=example,dc=net"
                 ldap_kdc_dn = "cn=kdc,ou=kerberos-adm,dc=example,dc=net"
                 ldap_kadmind_dn = "cn=kadmin,ou=kerberos-adm,dc=example,dc=net"
                 ldap_service_password_file = "/etc/krb5kdc/service.keyfile"
                 ldap_servers = "ldaps://provider01.example.net"
                 ldap_conns_per_server = 5
                 }
If you need more then one ldap-server you can have a list separated by blanks-

Am 16.04.26 um 09:18 schrieb Marek Greško via Kerberos:
> Hello,
> 
> I use mit kerberos with ldap backend. I have defined ldap_servers in dbmodule to ldap://FQDN. Since this is a local host it is not a problem. But I am interested in how to configure it correctly if the ldap server is not local and I want to use start_tls on ldap instead od ssl on ldaps. Also I am interested in how can I specify CA certificate file for either start_tls or ssl and how ro require certificate verification. I cannot see option for these settings in manuals.
> 
> Thanks
> 
> Marek
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn

Back to comp.protocols.kerberos | Previous | Next | Find similar

Thread

Re: ldap tls question Stefan Kania <stefan@kania-online.de> - 2026-04-16 18:00 +0200

csiph-web