From ed1fda0dbb9eba9b4c8a35e1dcf7865e8acfec9d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Skrz=C4=99tnicki?= Date: Wed, 16 Jul 2025 17:21:37 +0200 Subject: [PATCH 1/2] Don't omit CDP info for PKINIT certificates --- lib/srv/db/common/kerberos/kinit/ldap.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/srv/db/common/kerberos/kinit/ldap.go b/lib/srv/db/common/kerberos/kinit/ldap.go index 487afe073d042..daf61b4d4ce0a 100644 --- a/lib/srv/db/common/kerberos/kinit/ldap.go +++ b/lib/srv/db/common/kerberos/kinit/ldap.go @@ -208,7 +208,7 @@ func (s *ldapConnector) tlsConfigForLDAP(ctx context.Context, clusterName string ClusterName: clusterName, Domain: s.ldapConfig.domain, ActiveDirectorySID: s.ldapConfig.serviceAccountSID, - OmitCDP: true, + OmitCDP: false, } certPEM, keyPEM, caCerts, err := winpki.DatabaseCredentials(ctx, s.authClient, req) From 01b70d8a3d612bb7fece6cdf25c76921404e4cd0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Skrz=C4=99tnicki?= Date: Wed, 16 Jul 2025 18:06:01 +0200 Subject: [PATCH 2/2] Update lib/srv/db/common/kerberos/kinit/ldap.go Co-authored-by: Zac Bergquist --- lib/srv/db/common/kerberos/kinit/ldap.go | 1 - 1 file changed, 1 deletion(-) diff --git a/lib/srv/db/common/kerberos/kinit/ldap.go b/lib/srv/db/common/kerberos/kinit/ldap.go index daf61b4d4ce0a..035994b0db99e 100644 --- a/lib/srv/db/common/kerberos/kinit/ldap.go +++ b/lib/srv/db/common/kerberos/kinit/ldap.go @@ -208,7 +208,6 @@ func (s *ldapConnector) tlsConfigForLDAP(ctx context.Context, clusterName string ClusterName: clusterName, Domain: s.ldapConfig.domain, ActiveDirectorySID: s.ldapConfig.serviceAccountSID, - OmitCDP: false, } certPEM, keyPEM, caCerts, err := winpki.DatabaseCredentials(ctx, s.authClient, req)