[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Reverse Lookup Server SSL Certivicate CN
Quanah Gibson-Mount wrote:
I certainly agree there. ;) My response was really geared to what Jack
had stated though, because that bit really didn't seem correct to me. ;)
Not entirely correct in OpenLDAP's case - although there are undoubtedly
some applications that do what Jack suggests.
In Kerberos's eyes its up to the application to determine the service
princpal it should use. Different applications take different approaches
to this.
OpenLDAP's is somewhat complicated as it passes through SASL and GSSAPI
before getting to Kerberos properly. SASL composes the GSSAPI acceptor
name (equivalent to the Kerberos service prinicpal) from the service
name and FQDN passed in by the calling application. OpenLDAP sets the
service name to 'ldap', and if you've set the 'sasl-host' directive uses
that for the FQDN.
It's if sasl-host isn't set that things become interesting. When
sasl-host is unset, the hostname is determined through the
ldap_pvt_get_fqdn function. This uses the gethostname() call to get the
machine's hostname, and then gethostbyname() to turn it into the FQDN.
gethostbyname() potentially uses the resolver to work out the fully
qualified hostname.
Cheers,
Simon.