From Newsgroup: comp.protocols.kerberos

This is a cryptographically signed message in MIME format.

--------------ms010006090800010504060304
Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

SGksDQoNCnlvdSBzaG91ZCBub3QgdXNlIHN0YXJ0X3RscyBiZWNhdXNlIHNzbCAobGRhcHMp IGlzIG11Y2ggbW9yZSBzZWN1cmUuIEhlcmUgaXMgdGhlIHBhcnQgZnJvbSBteSBjb25maWd1 cmF0aW9uOg0KDQpbZGJtb2R1bGVzXQ0KICAgICAgICAgbGRhcGNvbmYgPSB7DQogICAgICAg ICAgICAgICAgIGRiX2xpYnJhcnkgPSBrbGRhcA0KICAgICAgICAgICAgICAgICBsZGFwX2tl cmJlcm9zX2NvbnRhaW5lcl9kbiA9ICJjbj1rZXJiZXJvcyxkYz1leGFtcGxlLGRjPW5ldCIN CiAgICAgICAgICAgICAgICAgbGRhcF9rZGNfZG4gPSAiY249a2RjLG91PWtlcmJlcm9zLWFk bSxkYz1leGFtcGxlLGRjPW5ldCINCiAgICAgICAgICAgICAgICAgbGRhcF9rYWRtaW5kX2Ru ID0gImNuPWthZG1pbixvdT1rZXJiZXJvcy1hZG0sZGM9ZXhhbXBsZSxkYz1uZXQiDQogICAg ICAgICAgICAgICAgIGxkYXBfc2VydmljZV9wYXNzd29yZF9maWxlID0gIi9ldGMva3JiNWtk Yy9zZXJ2aWNlLmtleWZpbGUiDQogICAgICAgICAgICAgICAgIGxkYXBfc2VydmVycyA9ICJs ZGFwczovL3Byb3ZpZGVyMDEuZXhhbXBsZS5uZXQiDQogICAgICAgICAgICAgICAgIGxkYXBf Y29ubnNfcGVyX3NlcnZlciA9IDUNCiAgICAgICAgICAgICAgICAgfQ0KSWYgeW91IG5lZWQg bW9yZSB0aGVuIG9uZSBsZGFwLXNlcnZlciB5b3UgY2FuIGhhdmUgYSBsaXN0IHNlcGFyYXRl ZCBieSBibGFua3MtDQoNCkFtIDE2LjA0LjI2IHVtIDA5OjE4IHNjaHJpZWIgTWFyZWsgR3Jl xaFrbyB2aWEgS2VyYmVyb3M6DQo+IEhlbGxvLA0KPiANCj4gSSB1c2UgbWl0IGtlcmJlcm9z IHdpdGggbGRhcCBiYWNrZW5kLiBJIGhhdmUgZGVmaW5lZCBsZGFwX3NlcnZlcnMgaW4gZGJt b2R1bGUgdG8gbGRhcDovL0ZRRE4uIFNpbmNlIHRoaXMgaXMgYSBsb2NhbCBob3N0IGl0IGlz IG5vdCBhIHByb2JsZW0uIEJ1dCBJIGFtIGludGVyZXN0ZWQgaW4gaG93IHRvIGNvbmZpZ3Vy ZSBpdCBjb3JyZWN0bHkgaWYgdGhlIGxkYXAgc2VydmVyIGlzIG5vdCBsb2NhbCBhbmQgSSB3 YW50IHRvIHVzZSBzdGFydF90bHMgb24gbGRhcCBpbnN0ZWFkIG9kIHNzbCBvbiBsZGFwcy4g QWxzbyBJIGFtIGludGVyZXN0ZWQgaW4gaG93IGNhbiBJIHNwZWNpZnkgQ0EgY2VydGlmaWNh dGUgZmlsZSBmb3IgZWl0aGVyIHN0YXJ0X3RscyBvciBzc2wgYW5kIGhvdyBybyByZXF1aXJl IGNlcnRpZmljYXRlIHZlcmlmaWNhdGlvbi4gSSBjYW5ub3Qgc2VlIG9wdGlvbiBmb3IgdGhl c2Ugc2V0dGluZ3MgaW4gbWFudWFscy4NCj4gDQo+IFRoYW5rcw0KPiANCj4gTWFyZWsNCj4g X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQo+IEtl cmJlcm9zIG1haWxpbmcgbGlzdCAgICAgICAgICAgS2VyYmVyb3NAbWl0LmVkdQ0KPiBodHRw czovL21haWxtYW4ubWl0LmVkdS9tYWlsbWFuL2xpc3RpbmZvL2tlcmJlcm9zDQoNCi0tIA0K U3RlZmFuIEthbmlhDQpMYW5kd2VnIDEzDQoyNTY5MyBTdC4gTWljaGFlbGlzZG9ubg0KDQoN
Cg0K

--------------ms010006090800010504060304
Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: Kryptografische S/MIME-Signatur

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC DLMwggYDMIID66ADAgECAgwEaYxY0V6t5+cpnHAwDQYJKoZIhvcNAQELBQAwUjELMAkGA1UE BhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExKDAmBgNVBAMTH0dsb2JhbFNpZ24g R0NDIFI2IFNNSU1FIENBIDIwMjMwHhcNMjQwOTI3MjAwMTE2WhcNMjcwOTI4MjAwMTE2WjBI MR8wHQYDVQQDDBZzdGVmYW5Aa2FuaWEtb25saW5lLmRlMSUwIwYJKoZIhvcNAQkBFhZzdGVm YW5Aa2FuaWEtb25saW5lLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAk1Wp pY9PMd6TNd+nUvWJ3RkA7fXwaZYBPlz+HyIh43KCUohVW0dweP44qfMBHjlVrAsgC6+VI+bd EWjvF9ZcWLHIj/IxonVe1HnN1DfYwp7/1qigJBjmfNwcdqlHHgRJ/WW8TblYLshwB94c+b5L J6ScRf4KCLYgTjmX/+/OpV9Zfzn0NvGNfyakUpeEz/36Mr1UPtWVchsGpuCsoGbylE0AOZug z2yOoLxAmd5YYLVI0uZ3IM1iGZPVcN0P9r9F1Gap4Vm9mi6+chx+ScAu/WfdzaBVlFoXA7w6 X/QxpQXtnifpKxqE5qqrPqCCo9sXLLgD3yW1iFcBVTgzNyZQRwIDAQABo4IB4TCCAd0wDgYD VR0PAQH/BAQDAgWgMIGTBggrBgEFBQcBAQSBhjCBgzBGBggrBgEFBQcwAoY6aHR0cDovL3Nl Y3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvZ3NnY2NyNnNtaW1lY2EyMDIzLmNydDA5Bggr BgEFBQcwAYYtaHR0cDovL29jc3AuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNnNtaW1lY2EyMDIz MGUGA1UdIAReMFwwCQYHZ4EMAQUBATALBgkrBgEEAaAyASgwQgYKKwYBBAGgMgoDAzA0MDIG CCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAJBgNV HRMEAjAAMEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3Nn Y2NyNnNtaW1lY2EyMDIzLmNybDAhBgNVHREEGjAYgRZzdGVmYW5Aa2FuaWEtb25saW5lLmRl MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAfBgNVHSMEGDAWgBQAKTaeXHq6D68t UC3boCOFGLCgkjAdBgNVHQ4EFgQU0kHF9fFBXygVDjwNe5DkaSxVk3cwDQYJKoZIhvcNAQEL BQADggIBAL0WoW7dCmTQxxo1dMGyld5LLS9wCa7goc07GplzOsEJ5GmfeNGapy+dP2NfmenH XYKPnP/8hosTk6GDgck1HaP4wP5RvZ4ALVraLs4XSQiENz9954Sim3YzjFbG2aoqXpv/C0ha MwzR7LBCa/OwUJot5wO7R++6SE98/ZeYUqGDIgVcmH+UOYE/5yxM+M4aDXFUR2LCQO2ejPcZ a3QzlnMJUYPPw3U4Udbs9MRy40FunbmWUzu4yEddlo9GikG5NEI6wC7hFEpC4joYmvEZXRlT UqS8wug7QKRLyeLhXw04h0GYL0mrx1yj7x4CXqRjjRpterRlAkgFj2zEEpQ4DMiVcl8fZZ7T xkQGlbfa+HEp9y9/NluiNeoqAMF/lzS8haLHDXLdrdWPitBQazmcsyQ3LlcmeAMjchOIcUWt EKxIRCoedt6xbuIX5D2ul0H6rPE2BrimedwF6AZFPFk3/KHAbjhfkAElHiNjgg4uwUji+d9q zIR6Di3W2WdTCCwzp/6V2eEWdlQ8z8U4v3aF80fwzp6dOuFmti/mOayUrAYCUC6DBLjkA4EY MS6Nc1dr4f4dffnOceF4deCDN3nH8bRPEXs+kvnA91vw008dvJ+Df7jcJmDrt2tmzZPDTV6l neB5rj7E+6Qcvadj6c5hl7L5Tc/v6LZx6DCVX0BA2KpPMIIGqDCCBJCgAwIBAgIQfofDCS7X Zu8vIeKo0KeY9DANBgkqhkiG9w0BAQwFADBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3Qg Q0EgLSBSNjETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0y MzA0MTkwMzUzNTNaFw0yOTA0MTkwMDAwMDBaMFIxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBH bG9iYWxTaWduIG52LXNhMSgwJgYDVQQDEx9HbG9iYWxTaWduIEdDQyBSNiBTTUlNRSBDQSAy MDIzMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwjAEbSkPcSyn26Zn9VtoE/xB vzYmNW29bW1pJZ7jrzKwPJm/GakCvy0IIgObMsx9bpFaq30X1kEJZnLUzuE1/hlchatYqyOR VBeHlv5V0QRSXY4faR0dCkIhXhoGknZ2O0bUJithcN1IsEADNizZ1AJIaWsWbQ4tYEYjytEd vfkxz1WtX3SjtecZR+9wLJLt6HNa4sC//QKdjyfr/NhDCzYrdIzAssoXFnp4t+HcMyQTrj0r pD8KkPj96sy9axzegLbzte7wgTHbWBeJGp0sKg7BAu+G0Rk6teO1yPd75arbCvfY/NaRRQHk 6tmG71gpLdB1ZhP9IcNYyeTKXIgfMh2tVK9DnXGaksYCyi6WisJa1Oa+poUroX2ESXO6o03l VxiA1xyfG8lUzpUNZonGVrUjhG5+MdY16/6b0uKejZCLbgu6HLPvIyqdTb9XqF4XWWKu+OMD s/rWyQ64v3mvSa0te5Q5tchm4m9K0Pe9LlIKBk/gsgfaOHJDp4hYx4wocDr8DeCZe5d5wCFk xoGc1ckM8ZoMgpUc4pgkQE5ShxYMmKbPvNRPa5YFzbFtcFn5RMr1Mju8gt8J0c+dxYco2hi7 dEW391KKxGhv7MJBcc+0x3FFTnmhU+5t6+CnkKMlrmzyaoeVryRTvOiH4FnTNHtVKUYDsCM0 CLDdMNgoxgkCAwEAAaOCAX4wggF6MA4GA1UdDwEB/wQEAwIBhjBMBgNVHSUERTBDBggrBgEF BQcDAgYIKwYBBQUHAwQGCisGAQQBgjcUAgIGCisGAQQBgjcKAwwGCisGAQQBgjcKAwQGCSsG AQQBgjcVBjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBQAKTaeXHq6D68tUC3boCOF GLCgkjAfBgNVHSMEGDAWgBSubAWjkxPioufi1xzWx/B/yGdToDB7BggrBgEFBQcBAQRvMG0w LgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9yb290cjYwOwYIKwYB BQUHMAKGL2h0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L3Jvb3QtcjYuY3J0 MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vcm9vdC1yNi5j cmwwEQYDVR0gBAowCDAGBgRVHSAAMA0GCSqGSIb3DQEBDAUAA4ICAQCRkUdr1aIDRmkNI5jx 5ggapGUThq0KcM2dzpMu314mJne8yKVXwzfKBtqbBjbUNMODnBkhvZcnbHUStur2/nt1tP3e e8KyNhYxzv4DkI0NbV93JChXipfsan7YjdfEk5vI2Fq+wpbGALyyWBgfy79YIgbYWATB158t vEh5UO8kpGpjY95xv+070X3FYuGyeZyIvao26mN872FuxRxYhNLwGHIy38N9ASa1Q3BTNKSr HrZngadofHglG5W3TMFR11JOEOAUHhUgpbVVvgCYgGA6dSX0y5z7k3rXVyjFOs7KBSXrdJPK adpl4vqYphH7+P40nzBRcxJHrv5FeXlTrb+drjyXNjZSCmzfkOuCqPspBuJ7vab0/9oeNERg nz6SLCjLKcDXbMbKcRXgNhFBlzN4OUBqieSBXk80w2Nzx12KvNj758WavxOsXIbX0Zxwo1h3 uw75AI2v8qwFWXNclO8qW2VXoq6kihWpeiuvDmFfSAwRLxwwIjgUuzG9SaQ+pOomuaC7QTKW MI0hL0b4mEPq9GsPPQq1UmwkcYFJ/Z4I93DZuKcXmKMmuANTS6wxwIEw8Q5MQ6y9fbJxGEOg OgYL4QIqNULb5CYPnt2LeiIiEnh8Uuh8tawqSjnR0h7Bv5q4mgo3L1Z9QQuexUntWD96t4o0 q1jXWLyrpgP7ZcnuCzGCBD0wggQ5AgEBMGIwUjELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEds b2JhbFNpZ24gbnYtc2ExKDAmBgNVBAMTH0dsb2JhbFNpZ24gR0NDIFI2IFNNSU1FIENBIDIw MjMCDARpjFjRXq3n5ymccDANBglghkgBZQMEAgEFAKCCAqwwGAYJKoZIhvcNAQkDMQsGCSqG SIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjYwNDE2MTYwMDQ0WjAvBgkqhkiG9w0BCQQxIgQg +lheuX+7bd1ARafsAI6o0F5VqcFGny59xWtuu5pIaUkwcQYJKwYBBAGCNxAEMWQwYjBSMQsw CQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEoMCYGA1UEAxMfR2xvYmFs U2lnbiBHQ0MgUjYgU01JTUUgQ0EgMjAyMwIMBGmMWNFerefnKZxwMHMGCyqGSIb3DQEJEAIL MWSgYjBSMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEoMCYGA1UE AxMfR2xvYmFsU2lnbiBHQ0MgUjYgU01JTUUgQ0EgMjAyMwIMBGmMWNFerefnKZxwMIIBVwYJ KoZIhvcNAQkPMYIBSDCCAUQwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D BzANBggqhkiG9w0DAgIBBTANBggqhkiG9w0DAgIBBTAHBgUrDgMCBzANBggqhkiG9w0DAgIB BTAHBgUrDgMCGjALBglghkgBZQMEAgEwCwYJYIZIAWUDBAICMAsGCWCGSAFlAwQCAzALBglg hkgBZQMEAgQwCwYJYIZIAWUDBAIHMAsGCWCGSAFlAwQCCDALBglghkgBZQMEAgkwCwYJYIZI AWUDBAIKMAsGCSqGSIb3DQEBATALBgkrgQUQhkg/AAIwCAYGK4EEAQsAMAgGBiuBBAELATAI BgYrgQQBCwIwCAYGK4EEAQsDMAsGCSuBBRCGSD8AAzAIBgYrgQQBDgAwCAYGK4EEAQ4BMAgG BiuBBAEOAjAIBgYrgQQBDgMwDQYJKoZIhvcNAQEBBQAEggEAVnaOll0Z6HJU459wWhJOhlKT OZDR7PcvjB/h/yx5HB1u6TmoB1A9riqMTVPqfG12apcv8m7th43kNS74B4GtMFqxNkq9YgKz hMMVLytMxnLAlm7xLYX03KmMSqyDRFtZ7xNHUIUaVbBoT4YmsF3PitvNGY+Vs8I3mNrdWsr5 P9l2hmrJGcCTDWDbk5mAOtCEwBFsPbU2j2h/Qy490Eacmkjfz6mV2mN2EpMpxr0c9VoSA8EZ jRsiI9Ej0dmHQl6VsOXUOG46q6KKlLdOy4cg3cIoFas6ygj/JlZqLPuSLWmH/BdUNclSVJgf 0RjMw2ebyjJrbCUI3Dn0oTOE+rRl0wAAAAAAAA== --------------ms010006090800010504060304--
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.protocols.kerberos

On 4/16/2026 11:51 AM, Ken Hornstein via Kerberos wrote:

In the matter of security there is the non answered second part of the
question. How to verify server certificate even when using ldaps? I see
no option to specify CA certificate or demanding server certificate
verification.

FWIW, I personally wouldn't say ldaps is "much more secure" than start_tls, but fine, it's not something I care to argue about. But my memory is that
at least with OpenLDAP there is a configuration file where you can specify all of these things. Also since OpenLDAP links against a separate TLS library you could put server CA certificates in the "usual place" where
the TLS library implementation looks for those things. We use a non-public PKI infrastructure for our LDAP server and we put those server certificates in the appropriate place for the operating system and it Just Works.

Using the "usual place" is questionable, as it includes the mass of
Internet CAs. If you trust them to never issue certs for your LDAP
server name, fine. I'm less sanguine about the security of random CAs
(and there have been multiple past incidents of bogus certs being issued).

To control the additional LDAP options, you can either set environment variables in your krb5kdc process, or set up an ldaprc / ldapconf file.

So either set LDAPTLS_CACERT / LDAPTLS_CACERTDIR env vars, or the
TLS_CACERT / TLS_CACERTDIR options in ldaprc. You can also set TLS_CERT
/ TLS_KEY to use an X.509 client cert for AuthN.

To specify a location for an ldaprc file, set HOME and LDAPRC env vars,
or specify LDAPCONF. You may also want to set LDAPNOINIT. Some options
can't be set in an ldap.conf file.

I wish krb5kdc exposed a mechanism to set arbitrary OpenLDAP options,
but the above should do what you want.
--

Carson


--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.protocols.kerberos

On Thu, 16 Apr 2026 12:07:32 -0600, Carson Gaspar wrote:

To control the additional LDAP options, you can either set
environment variables in your krb5kdc process, or set up an ldaprc /
ldapconf file.

OpenLDAP stores all its configuration as part the LDAP database
structure itself, within a custom backend.

I worked out some step-by-step instructions for setting this up in my
README for this project <https://bitbucket.org/ldo17/serve_passwd/>.
--- Synchronet 3.21f-Linux NewsLink 1.2