[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap_int_open_connection/sasl doesn't work when host has no reverse DNS lookup (ITS#2450)

To: openldap-its@OpenLDAP.org
Subject: Re: ldap_int_open_connection/sasl doesn't work when host has no reverse DNS lookup (ITS#2450)
From: nelson@thursby.com
Date: Tue, 22 Apr 2003 13:48:36 GMT

When used in a network that does not have reverse name lookup for all LDAP
servers, the name canonicalization in LDAP PREVENTS the user from specifying
what host they want to connect to.

Besides, if you are really attempting to canonicalize, you shouldn't allow
getnameinfo to return the dotted decimal string.  That certainly won't do
GSSAPI any good.

One of my BETA testers at a site in the UK has a Windows Active Directory
set up like this:

    Service records for _ldap._tcp.example.com:
        dc1.example.com
        dc2.example.com
   dc1.example.com = 192.168.0.50
   dc2.example.com = 192.168.1.50

    Reverse lookups provide PTR info
    192.168.0.50 = dc1.example.co.uk
    192.168.1.50 = dc2.example.co.uk
    
User wants to connect to ldap service for the domain.  Uses
ldap://dc1.example.com as the URL.  LDAP library turns this into
dc1.example.co.uk for the SASL stuff.  GSSAPI is now trying to get service
tickets for ldap/dc1.example.co.uk instead of ldap/dc1.example.com

Two security problems with this:
1) You are relying on DNS for the security (instead of using the security
principal specified by the USER, you have silently switched that to the one
specified by DNS).  DNS is easily spoofed.
2) Mutual authentication is weakened because the service the user wanted
isn't the one being authenticated.

So I would agree with you.  The application IS closest to the user and
SHOULD provide the service name used for mutual authentication.  However,
the LDAP library prevents this quite decidedly by relying on DNS instead.

There are also problems in Kerberos dealing with improper name
canonicalization.  These are being discussed but no clear solution has been
proposed for the 1.3 MIT version.

I'm just finishing BETA test that included over 300 Microsoft Active
Directory sites.  I'd estimate that between 15-20 of these sites have DNS
configurations that don't work with the current LDAP and MIT 1.3 releases
because reverse lookups don't match SRV information.

-- 
Paul W. Nelson
Thursby Software Systems, Inc.

> From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
> Date: Mon, 21 Apr 2003 17:24:57 -0700
> To: nelson@thursby.com
> Cc: openldap-its@OpenLDAP.org
> Subject: Re: ldap_int_open_connection/sasl doesn't work when host has no
> reverse DNS lookup (ITS#2450)
> 
> I disagree that the SASL layer should be responsible for
> canonicalization.  The application should be (as it is closer
> to the user and hence better suited to groking the user's
> security needs).  An unaware application should push the
> canonicalization requirement onto its user.

Prev by Date: slapi crasher on unbind (ITS#2461)
Next by Date: RE: (ITS#2449)
Index(es):
- Chronological
- Thread