Re: Reverse Lookup Server SSL Certivicate CN

[Simon Wilkinson <simon@sxw.org.uk>]

Quanah Gibson-Mount wrote:

> I certainly agree there. ;)  My response was really geared to what Jack 
> had stated though, because that bit really didn't seem correct to me. ;)

Not entirely correct in OpenLDAP's case - although there are undoubtedly 
some applications that do what Jack suggests.

In Kerberos's eyes its up to the application to determine the service 
princpal it should use. Different applications take different approaches 
to this.

OpenLDAP's is somewhat complicated as it passes through SASL and GSSAPI 
before getting to Kerberos properly. SASL composes the GSSAPI acceptor 
name (equivalent to the Kerberos service prinicpal) from the service 
name and FQDN passed in by the calling application. OpenLDAP sets the 
service name to 'ldap', and if you've set the 'sasl-host' directive uses 
that for the FQDN.

It's if sasl-host isn't set that things become interesting. When 
sasl-host is unset, the hostname is determined through the 
ldap_pvt_get_fqdn function. This uses the gethostname() call to get the 
machine's hostname, and then gethostbyname() to turn it into the FQDN.

gethostbyname() potentially uses the resolver to work out the fully 
qualified hostname.

Cheers,

Simon.