[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ldap_int_sasl_bind() and canonical Kerberos names
Quanah Gibson-Mount wrote:
Does your patch work with if heimdal is being used as well? Because
I've found MIT not to be worthwhile to compile the OpenLDAP server
against for stability and throughput reasons.
A patch against OpenLDAP 2.3 is attached below. It works fine with MIT
but i have not tried it with Heimdal (i think it should work though). If
I set "rdns = no" in [libdefaults] in the Kerberos configuration file, I
get the following advantages:
- I can call "ldapsearch -h <host>" on a host that does not have a
reverse DNS mapping.
- I can call "ldapsearch -h <host>" on a host for which no domain to
realm mapping exists locally, making use of server-side referrals (in my
case with a Windows 2003 KDC).
The patch unconditionally disables hostname canonicalisation for the
sasl client. In my view this should be OK, as the Kerberos library will
do hostname canonicalisation anyway and therefore this step is redundant
in OpenLDAP. But by not doing this in OpenLDAP, we add the possibility
of the Kerberos library deciding to take another (or no)
canonicalisation option. In my view, hostname canonicalisation is a
Kerberos specific issue and therefore should be performed only in the
Kerberos library.
I assume I need to create an issue tracker if I would want to submit
this for inclusion? Also I will try to create versions of the patch for
2.4 and the trunk.
Regards, Geert
Index: libraries/libldap/cyrus.c
===================================================================
RCS file: /repo/OpenLDAP/pkg/ldap/libraries/libldap/cyrus.c,v
retrieving revision 1.112.2.17
diff -u -r1.112.2.17 cyrus.c
--- libraries/libldap/cyrus.c 8 Oct 2007 09:53:53 -0000 1.112.2.17
+++ libraries/libldap/cyrus.c 24 Oct 2007 20:57:58 -0000
@@ -639,10 +639,8 @@
}
{
- char *saslhost = ldap_host_connected_to( ld->ld_defconn->lconn_sb,
- "localhost" );
+ char *saslhost = ld->ld_options.ldo_defludp->lud_host;
rc = ldap_int_sasl_open( ld, ld->ld_defconn, saslhost );
- LDAP_FREE( saslhost );
}
if ( rc != LDAP_SUCCESS ) return rc;
Index: libraries/libldap/ldap-int.h
===================================================================
RCS file: /repo/OpenLDAP/pkg/ldap/libraries/libldap/ldap-int.h,v
retrieving revision 1.160.2.10
diff -u -r1.160.2.10 ldap-int.h
--- libraries/libldap/ldap-int.h 23 Apr 2007 12:28:20 -0000 1.160.2.10
+++ libraries/libldap/ldap-int.h 24 Oct 2007 20:57:59 -0000
@@ -178,6 +178,7 @@
#endif
LDAPURLDesc *ldo_defludp;
+ LDAPURLDesc *ldo_curludp;
int ldo_defport;
char* ldo_defbase;
char* ldo_defbinddn; /* bind dn */
Index: libraries/libldap/open.c
===================================================================
RCS file: /repo/OpenLDAP/pkg/ldap/libraries/libldap/open.c,v
retrieving revision 1.105.2.7
diff -u -r1.105.2.7 open.c
--- libraries/libldap/open.c 2 Jan 2007 21:43:49 -0000 1.105.2.7
+++ libraries/libldap/open.c 24 Oct 2007 20:57:59 -0000
@@ -125,6 +125,7 @@
ld->ld_options.ldo_tm_api = NULL;
ld->ld_options.ldo_tm_net = NULL;
ld->ld_options.ldo_defludp = NULL;
+ ld->ld_options.ldo_curludp = NULL;
#ifdef HAVE_CYRUS_SASL
ld->ld_options.ldo_def_sasl_mech = gopts->ldo_def_sasl_mech
Index: libraries/libldap/request.c
===================================================================
RCS file: /repo/OpenLDAP/pkg/ldap/libraries/libldap/request.c,v
retrieving revision 1.103.2.19
diff -u -r1.103.2.19 request.c
--- libraries/libldap/request.c 1 Jul 2007 12:17:28 -0000 1.103.2.19
+++ libraries/libldap/request.c 24 Oct 2007 20:58:00 -0000
@@ -354,6 +354,7 @@
for ( srv = srvlist; srv != NULL; srv = srv->lud_next ) {
if ( ldap_int_open_connection( ld, lc, srv, 0 ) != -1 )
{
+ ld->ld_options.ldo_curludp = srv;
break;
}
}