Description of problem: openldap libraries and clients have not been compiled to support the use of Kerberos password checking. This functionality is required to securely bind to an Active Directory LDAP server functioning as a KDC using the openldap library/client in conjunciton with /etc/ldap.conf instead of using simple (insecure) LDAP binds to the AD LDAP server. Compiling with KRB5 support would elminate the disclosure of the plain text bindpw password stored in /etc/ldap.conf which is world- readable. Using KRB5, the principal and key can be stored securely in a 0600 mode file under /etc where it could not be compromised. In addition, only the keytab needs to be given out not the plain text password. Version-Release number of selected component (if applicable): 2.0.27-17 How reproducible: Always Steps to Reproduce: 1. ldapsearch -k 2. 3. Actual results: ldapsearch: not compiled with Kerberos support Expected results: KRB5 support enabled. Additional info:
Internal RFE bug #147491 entered; will be considered for future releases.
Two years later, RHEL5 and Fedora still do not include kerberos support: $ ldapsearch -x -h ldapserver -b "dc=my,dc=domain" -k "sAMaccountname=myuserid" ldapsearch: not compiled with Kerberos support I find this especially interesting because ldapsearch is clearly linked to the kerberos libraries: $ ldd /usr/bin/ldapsearch linux-gate.so.1 => (0x00d32000) libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0x4feb8000) liblber-2.3.so.0 => /usr/lib/liblber-2.3.so.0 (0x4fca5000) libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x4fe00000) libssl.so.6 => /lib/libssl.so.6 (0x4f9f8000) libcrypto.so.6 => /lib/libcrypto.so.6 (0x4f68c000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x4fc07000) libresolv.so.2 => /lib/libresolv.so.2 (0x4f44b000) libc.so.6 => /lib/libc.so.6 (0x4ebac000) libdl.so.2 => /lib/libdl.so.2 (0x4ed2d000) libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x4fa3f000) libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x4f8e2000) libcom_err.so.2 => /lib/libcom_err.so.2 (0x4f8ce000) libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x4f9b2000) libz.so.1 => /lib/libz.so.1 (0x4ed34000) /lib/ld-linux.so.2 (0x4e1a6000) libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x4f8d8000) libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x4f9da000)
This bug is filed against RHEL 3, which is in maintenance phase. During the maintenance phase, only security errata and select mission critical bug fixes will be released for enterprise products. Since this bug does not meet that criteria, it is now being closed. For more information of the RHEL errata support policy, please visit: http://www.redhat.com/security/updates/errata/ If you feel this bug is indeed mission critical, please contact your support representative. You may be asked to provide detailed information on how this bug is affecting you.