logo_kerberos.gif

Projects/LDAP TLS support

From K5Wiki
Jump to: navigation, search
This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.


Description

This project adds support for STARTTLS and client certificate authentication to the LDAP KDB module, based on contributions from Zoran Pericic.

Background

Zoran Pericic contributed patches to add support in the LDAP KDB module for SASL binding, STARTTLS, and anonymous binding. Release 1.13 added support for SASL binding, but did not add support for STARTTLS or anonymous binding.

Design

The following profile variable and database options will be added:

  • "ldap_kdc_starttls" and "ldap_kadmind_starttls" profile variables, "starttls" DB parameter (boolean)
  • "ldap_kdc_tls_certfile" and "ldap_kadmind_tls_certfile" profile variables, "tls_certfile" DB parameter
  • "ldap_kdc_tls_keyfile" and "ldap_kadmind_tls_keyfile" profile variables, "tls_keyfile" DB parameter
  • "ldap_tls_cacertdir" profile variable, "tls_cacertdir" DB parameter
  • "ldap_tls_cacertfile" profile variable, "tls_cacertfile" DB parameter
  • "ldap_tls_crlcheck" profile variable, "tls_crlcheck" DB parameter (values "none", "peer", and "all")

If starttls is set, ldap_start_tls_s will be called on the LDAP handle before binding. (TLS can also be indicated via the ldaps URI scheme.) The other options will be set with ldap_set_option to influence the LDAP library's behavior.

Testing

TBD

Mailing list discussions

Release notes

TBD