Bug 146912

Summary: openldap clients do not support kerberos authentication
Product: Red Hat Enterprise Linux 3 Reporter: Jason Sauve <jasonsauve77>
Component: openldapAssignee: Jan Safranek <jsafrane>
Status: CLOSED WONTFIX QA Contact: Jay Turner <jturner>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.0CC: andy.grimm, shillman, srevivo
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-10-19 19:07:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jason Sauve 2005-02-02 18:27:23 UTC 
Description of problem:
openldap libraries and clients have not been compiled to support the 
use of Kerberos password checking. This functionality is required to 
securely bind to an Active Directory LDAP server functioning as a KDC 
using the openldap library/client in conjunciton with /etc/ldap.conf 
instead of using simple (insecure) LDAP binds to the AD LDAP server. 
Compiling with KRB5 support would elminate the disclosure of the 
plain text bindpw password stored in /etc/ldap.conf which is world-
readable. Using KRB5, the principal and key can be stored securely in 
a 0600 mode file under /etc where it could not be compromised. In 
addition, only the keytab needs to be given out not the plain text 
password.

Version-Release number of selected component (if applicable):
2.0.27-17

How reproducible:
Always

Steps to Reproduce:
1. ldapsearch -k
2.
3.
  
Actual results:
ldapsearch: not compiled with Kerberos support

Expected results:
KRB5 support enabled.

Additional info:
Comment 1 Suzanne Hillman 2005-02-08 15:38:27 UTC 
Internal RFE bug #147491 entered; will be considered for future releases.
Comment 2 Andy Grimm 2007-05-30 20:54:17 UTC 
Two years later, RHEL5 and Fedora still do not include kerberos support:

$ ldapsearch -x -h ldapserver -b "dc=my,dc=domain" -k "sAMaccountname=myuserid"
ldapsearch: not compiled with Kerberos support

I find this especially interesting because ldapsearch is clearly linked to the
kerberos libraries:

$ ldd /usr/bin/ldapsearch 
        linux-gate.so.1 =>  (0x00d32000)
        libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0x4feb8000)
        liblber-2.3.so.0 => /usr/lib/liblber-2.3.so.0 (0x4fca5000)
        libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x4fe00000)
        libssl.so.6 => /lib/libssl.so.6 (0x4f9f8000)
        libcrypto.so.6 => /lib/libcrypto.so.6 (0x4f68c000)
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x4fc07000)
        libresolv.so.2 => /lib/libresolv.so.2 (0x4f44b000)
        libc.so.6 => /lib/libc.so.6 (0x4ebac000)
        libdl.so.2 => /lib/libdl.so.2 (0x4ed2d000)
        libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x4fa3f000)
        libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x4f8e2000)
        libcom_err.so.2 => /lib/libcom_err.so.2 (0x4f8ce000)
        libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x4f9b2000)
        libz.so.1 => /lib/libz.so.1 (0x4ed34000)
        /lib/ld-linux.so.2 (0x4e1a6000)
        libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x4f8d8000)
        libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x4f9da000)
Comment 3 RHEL Program Management 2007-10-19 19:07:53 UTC 
This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
 
For more information of the RHEL errata support policy, please visit:
http://www.redhat.com/security/updates/errata/
 
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.