Kerberos bind

In addition to a simple bind using a bind DN and a bind password, the secldapclntd daemon also supports a bind using Kerberos V credentials.

The keys of the bind principal are stored in a keytab file and need to be made available to the secldapclntd daemon in order to use Kerberos bind. With Kerberos bind enabled, the secldapclntd daemon does Kerberos authentication to the LDAP server using the principal name and keytab specified in the /etc/security/ldap/ldap.cfg client configuration file. Using Kerberos bind makes the secldapclntd daemon ignore the bind DN and the bind password specified in /etc/security/ldap/ldap.cfg file.

When Kerberos authentication is successful, the secldapclntd daemon saves the bind credentials to the /etc/security/ldap/krb5cc_secldapclntd directory. The saved credentials are used for a later rebind. If credentials are more than one hour old at the time that the secldapclntd daemon tries to rebind to a LDAP server, the secldapclntd daemon will reinitialize to renew credentials.

To configure the LDAP client system to use Kerberos bind, you must configure the client using the mksecldap command using a bind DN and a bind password. If the configuration is successful, edit the /etc/security/ldap/ldap.cfg file with the correct values for Kerberos related attributes. The secldapclntd daemon uses the Kerberos bind at restart. After successful configuration, the bind DN and the bind password are not used any more. They can be safely removed or commented out of the /etc/security/ldap/ldap.cfg file.