Projects/LDAP TLS support
From K5Wiki
< Projects
This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.
Description
This project adds support for STARTTLS and client certificate authentication to the LDAP KDB module, based on contributions from Zoran Pericic.
Background
Zoran Pericic contributed patches to add support in the LDAP KDB module for SASL binding, STARTTLS, and anonymous binding. Release 1.13 added support for SASL binding, but did not add support for STARTTLS or anonymous binding.
Design
The following profile variable and database options will be added:
- "ldap_kdc_starttls" and "ldap_kadmind_starttls" profile variables, "starttls" DB parameter (boolean)
- "ldap_kdc_tls_certfile" and "ldap_kadmind_tls_certfile" profile variables, "tls_certfile" DB parameter
- "ldap_kdc_tls_keyfile" and "ldap_kadmind_tls_keyfile" profile variables, "tls_keyfile" DB parameter
- "ldap_tls_cacertdir" profile variable, "tls_cacertdir" DB parameter
- "ldap_tls_cacertfile" profile variable, "tls_cacertfile" DB parameter
- "ldap_tls_crlcheck" profile variable, "tls_crlcheck" DB parameter (values "none", "peer", and "all")
If starttls is set, ldap_start_tls_s will be called on the LDAP handle before binding. (TLS can also be indicated via the ldaps URI scheme.) The other options will be set with ldap_set_option to influence the LDAP library's behavior.
Testing
TBD
Mailing list discussions
- http://mailman.mit.edu/pipermail/krbdev/2011-November/010610.html
- http://mailman.mit.edu/pipermail/krbdev/2013-October/011781.html
Release notes
TBD