[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5812) New option to disable SASL host canonicalization



geert@boskant.nl wrote:
> Full_Name: Geert Jansen
> Version: 2.4
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/geert-jansen-081115.patch
> Submission from: (NULL) (12.230.186.195)
>
>
> This is a resubmission of my earlier patch in [1]. I'm asking for this patch to
> be included into OpenLDAP.
>
> The patch adds an LDAP option called LDAP_OPT_X_SASL_NOCANON to disable host
> name canonicalization using reverse DNS for the host name that is passed into
> SASL. Instead, it passes verbatim the host name part from the LDAP URI and lets
> SASL do the canonicalization. The option is disabled by default.
>
> Kerberos requires a canonical host name to work. Traditionally, host name
> canonicalization has been done using reverse DNS. However, this is problematic.
> See the comment below from the MIT Kerberos source on this subject:
>
>                 /* XXX: This is *so* bogus.  There are several cases where
>                    this won't get us the canonical name of the host, but
>                    this is what we've trained people to expect.  We'll
>                    probably fix it at some point, but let's try to
>                    preserve the current behavior and only shake things up
>                    once when it comes time to fix this lossage.  */
>
> Since some time MIT Kerberos has support for server-side canonicalization which
> is an alternative for the DNS based scheme. By default it uses both, but with an
> option "rdns = no", reverse DNS can be disabled.
>
> The use case for this is environments that do not have reverse DNS set up
> correctly. Especially in Windows Active Directory environments this is very
> common. Administrators are afraid to enable scavenging for their zones, and
> therefore any server IP change will leave a stale PTR record in place. This
> breaks reverse DNS based canonicalization if the IP adress is reassigned.

Breaking more software to use it with already broken software is, in a word, 
stupid. The standard practice for Kerberos requires you to have consistent 
forward and reverse DNS lookups. Sysadmins who are afraid to administer their 
software should either change their software or change their jobs.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/