[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ldap_int_open_connection/sasl doesn't work when host has no reverse DNS lookup (ITS#2450)
It's my understanding that currently Cyrus SASL requires the
host parameter to be a FQDN. If it is not, GSSAPI (Kerberos)
authentication will fail (at least when using current
implementations).
I disagree that the SASL layer should be responsible for
canonicalization. The application should be (as it is closer
to the user and hence better suited to groking the user's
security needs). An unaware application should push the
canonicalization requirement onto its user.
This, obviously, has unfortunate ease of use considerations.
Hence, before I make the change to pass in the application
provided host name (or address) to SASL, some discussion is
needed.
Kurt
At 03:17 PM 4/15/2003, nelson@thursby.com wrote:
>Full_Name: Paul Nelson
>Version: 2.1.17
>OS: Mac OS X
>URL: ftp://ftp.openldap.org/incoming/
>Submission from: (NULL) (208.7.44.100)
>
>
>ldap_int_open_connection handles connecting to a host using the host's DNS
>name.
>Unfortunately, it causes a reverse lookup to be performed in
>ldap_host_connected_to, and that result gets passed to ldap_int_sasl_open.
>
>The sasl layer should be wholly responsible for any name canonicalization. Name
>canonicalization using reverse DNS lookups is known to be a bad thing for
>krb5/gssapi, and could cause security problems.
>
>Changes to Kerberos are being discussed that would allow use of gssapi/krb5
>without reverse name lookups. You may wish to contact Sam Hartman
><hartmans@MIT.EDU> regarding this issue and SASL/gssapi issues.
>
>In addition, it simply breaks in many sites using Active Directory, where the AD
>domain controllers don't have reverse lookup entries. In this scenario, the
>domain controller names are returned by looking up the service records for ldap:
> _ldap._tcp.domain.org The names returned are the Kerberos service principal
>names. If reverse lookups are done on these names, the lookups may fail, or
>return different names that are NOT the server's kerberos principal name.