[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Reverse Lookup Server SSL Certivicate CN



Quanah Gibson-Mount wrote:

I certainly agree there. ;) My response was really geared to what Jack had stated though, because that bit really didn't seem correct to me. ;)

Not entirely correct in OpenLDAP's case - although there are undoubtedly some applications that do what Jack suggests.


In Kerberos's eyes its up to the application to determine the service princpal it should use. Different applications take different approaches to this.

OpenLDAP's is somewhat complicated as it passes through SASL and GSSAPI before getting to Kerberos properly. SASL composes the GSSAPI acceptor name (equivalent to the Kerberos service prinicpal) from the service name and FQDN passed in by the calling application. OpenLDAP sets the service name to 'ldap', and if you've set the 'sasl-host' directive uses that for the FQDN.

It's if sasl-host isn't set that things become interesting. When sasl-host is unset, the hostname is determined through the ldap_pvt_get_fqdn function. This uses the gethostname() call to get the machine's hostname, and then gethostbyname() to turn it into the FQDN.

gethostbyname() potentially uses the resolver to work out the fully qualified hostname.

Cheers,

Simon.