Bug 146912 - openldap clients do not support kerberos authentication
Summary: openldap clients do not support kerberos authentication
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: openldap   
(Show other bugs)
Version: 3.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Jan Safranek
QA Contact: Jay Turner
Depends On:
TreeView+ depends on / blocked
Reported: 2005-02-02 18:27 UTC by Jason Sauve
Modified: 2015-01-08 00:09 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-10-19 19:07:53 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Jason Sauve 2005-02-02 18:27:23 UTC
Description of problem:
openldap libraries and clients have not been compiled to support the 
use of Kerberos password checking. This functionality is required to 
securely bind to an Active Directory LDAP server functioning as a KDC 
using the openldap library/client in conjunciton with /etc/ldap.conf 
instead of using simple (insecure) LDAP binds to the AD LDAP server. 
Compiling with KRB5 support would elminate the disclosure of the 
plain text bindpw password stored in /etc/ldap.conf which is world-
readable. Using KRB5, the principal and key can be stored securely in 
a 0600 mode file under /etc where it could not be compromised. In 
addition, only the keytab needs to be given out not the plain text 

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. ldapsearch -k
Actual results:
ldapsearch: not compiled with Kerberos support

Expected results:
KRB5 support enabled.

Additional info:

Comment 1 Suzanne Hillman 2005-02-08 15:38:27 UTC
Internal RFE bug #147491 entered; will be considered for future releases.

Comment 2 Andy Grimm 2007-05-30 20:54:17 UTC
Two years later, RHEL5 and Fedora still do not include kerberos support:

$ ldapsearch -x -h ldapserver -b "dc=my,dc=domain" -k "sAMaccountname=myuserid"
ldapsearch: not compiled with Kerberos support

I find this especially interesting because ldapsearch is clearly linked to the
kerberos libraries:

$ ldd /usr/bin/ldapsearch 
        linux-gate.so.1 =>  (0x00d32000)
        libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0x4feb8000)
        liblber-2.3.so.0 => /usr/lib/liblber-2.3.so.0 (0x4fca5000)
        libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x4fe00000)
        libssl.so.6 => /lib/libssl.so.6 (0x4f9f8000)
        libcrypto.so.6 => /lib/libcrypto.so.6 (0x4f68c000)
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x4fc07000)
        libresolv.so.2 => /lib/libresolv.so.2 (0x4f44b000)
        libc.so.6 => /lib/libc.so.6 (0x4ebac000)
        libdl.so.2 => /lib/libdl.so.2 (0x4ed2d000)
        libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x4fa3f000)
        libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x4f8e2000)
        libcom_err.so.2 => /lib/libcom_err.so.2 (0x4f8ce000)
        libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x4f9b2000)
        libz.so.1 => /lib/libz.so.1 (0x4ed34000)
        /lib/ld-linux.so.2 (0x4e1a6000)
        libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x4f8d8000)
        libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x4f9da000)

Comment 3 RHEL Product and Program Management 2007-10-19 19:07:53 UTC
This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
For more information of the RHEL errata support policy, please visit:
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.

Note You need to log in before you can comment on or make changes to this bug.