Bug 146912 - openldap clients do not support kerberos authentication
openldap clients do not support kerberos authentication
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: openldap (Show other bugs)
3.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jan Safranek
Jay Turner
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-02-02 13:27 EST by Jason Sauve
Modified: 2015-01-07 19:09 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-19 15:07:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jason Sauve 2005-02-02 13:27:23 EST
Description of problem:
openldap libraries and clients have not been compiled to support the 
use of Kerberos password checking. This functionality is required to 
securely bind to an Active Directory LDAP server functioning as a KDC 
using the openldap library/client in conjunciton with /etc/ldap.conf 
instead of using simple (insecure) LDAP binds to the AD LDAP server. 
Compiling with KRB5 support would elminate the disclosure of the 
plain text bindpw password stored in /etc/ldap.conf which is world-
readable. Using KRB5, the principal and key can be stored securely in 
a 0600 mode file under /etc where it could not be compromised. In 
addition, only the keytab needs to be given out not the plain text 
password.

Version-Release number of selected component (if applicable):
2.0.27-17

How reproducible:
Always

Steps to Reproduce:
1. ldapsearch -k
2.
3.
  
Actual results:
ldapsearch: not compiled with Kerberos support

Expected results:
KRB5 support enabled.

Additional info:
Comment 1 Suzanne Hillman 2005-02-08 10:38:27 EST
Internal RFE bug #147491 entered; will be considered for future releases.
Comment 2 Andy Grimm 2007-05-30 16:54:17 EDT
Two years later, RHEL5 and Fedora still do not include kerberos support:

$ ldapsearch -x -h ldapserver -b "dc=my,dc=domain" -k "sAMaccountname=myuserid"
ldapsearch: not compiled with Kerberos support

I find this especially interesting because ldapsearch is clearly linked to the
kerberos libraries:

$ ldd /usr/bin/ldapsearch 
        linux-gate.so.1 =>  (0x00d32000)
        libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0x4feb8000)
        liblber-2.3.so.0 => /usr/lib/liblber-2.3.so.0 (0x4fca5000)
        libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x4fe00000)
        libssl.so.6 => /lib/libssl.so.6 (0x4f9f8000)
        libcrypto.so.6 => /lib/libcrypto.so.6 (0x4f68c000)
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x4fc07000)
        libresolv.so.2 => /lib/libresolv.so.2 (0x4f44b000)
        libc.so.6 => /lib/libc.so.6 (0x4ebac000)
        libdl.so.2 => /lib/libdl.so.2 (0x4ed2d000)
        libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x4fa3f000)
        libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x4f8e2000)
        libcom_err.so.2 => /lib/libcom_err.so.2 (0x4f8ce000)
        libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x4f9b2000)
        libz.so.1 => /lib/libz.so.1 (0x4ed34000)
        /lib/ld-linux.so.2 (0x4e1a6000)
        libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x4f8d8000)
        libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x4f9da000)
Comment 3 RHEL Product and Program Management 2007-10-19 15:07:53 EDT
This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
 
For more information of the RHEL errata support policy, please visit:
http://www.redhat.com/security/updates/errata/
 
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.

Note You need to log in before you can comment on or make changes to this bug.