[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap_int_sasl_bind() and canonical Kerberos names

To: Simon Wilkinson <simon@sxw.org.uk>
Subject: Re: ldap_int_sasl_bind() and canonical Kerberos names
From: Geert Jansen <geert@boskant.nl>
Date: Thu, 25 Oct 2007 21:47:58 +0200
Cc: Quanah Gibson-Mount <quanah@zimbra.com>, openldap-devel@openldap.org
In-reply-to: <AFE36A83-CBF5-4404-BDA7-D7FC51506EF0@sxw.org.uk>
References: <471E8C12.3010907@boskant.nl> <D5A8EF597251C4D9F994F1B1@[192.168.1.3]> <471FB64A.2060103@boskant.nl> <AFE36A83-CBF5-4404-BDA7-D7FC51506EF0@sxw.org.uk>
User-agent: Thunderbird 2.0.0.5 (X11/20070727)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Simon,

>> The patch unconditionally disables hostname canonicalisation for
>> the sasl client.
>
> I think this will break GSSAPI connections to LDAP servers that are
>  behind DNS round robin style load balancers.
>
> Assume that you have 'ldap' that is a CNAME for ldap-1 and ldap2.
> The LDAP library initiates a connection to 'ldap', and DNS points
> it to 'ldap-1'. Providing you ask SASL to set up a connection to
> 'ldap-1', you're fine (this is what the code does at the moment).
> However, if you ask the SASL library for a connection to 'ldap'
> (this is what your change does, as far as I can tell), and the
> library does a canonicalisation step (as most Kerberos
> implementations currently do), it will get 'ldap-2' back from the
> DNS. So, you end up trying to negotiate a SASL connection with
> 'ldap-2', when you're actually connected to 'ldap-1'. This tends
> not to work.

Thanks for the explanation and indeed I see that my patch would break
this use case. I have come to the conclusion that one of the two
reasons why I looked into this patch (do not keep realm data on the
local system) is actually a problem that has nothing to do with
canonicalisation. Realm referrals work just as well with the
reverse-dns based canonical name as long as it is a valid principal.
The other reason (be resilient against wrong reverse-dns setups) could
still be a reason to use this patch, but now that I think of it it, it
probably doesn't buy you much as you need proper forward dns anyway so
better have a proper reverse dns too. Therefore I withdraw my patch.

Regards, Geert
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iQEVAwUBRyDy7prPkVOV4lDgAQJD9gf+KzsoMxBtCf0K0f80q6kWM+DAB64EpwCV
g2Lj9JdKK0BcxcyXpnz+vBrKPwuP8RP/1dkvNiBJrgcUVc9Yo25H+UNBHkff0wUt
QPZZvf9p/nxz0AQHAYrHdh94fM748y2LuMD/oVkpu+Oi8HeC5P5fo2VMpsoJ9pcg
9ee23yyuT3EyjpG3YGnApOOdAPgEqgUirvI+DibFYXo4hLrzwL5PKRmY3ggMZKa1
OrHz2qjZjvcktbs3cSU0v17tG+KLW1DtKaO80bSrbjAqb0l4rVPI+a6ixN5IEbG7
RdGKzx9jP4hgTP+Xt06e+eNFg19u0e72mrlzmH2A29C5RA2cHVsMRg==
=bLmO
-----END PGP SIGNATURE-----

References:
- ldap_int_sasl_bind() and canonical Kerberos names
  - From: Geert Jansen <geert@boskant.nl>
- Re: ldap_int_sasl_bind() and canonical Kerberos names
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: ldap_int_sasl_bind() and canonical Kerberos names
  - From: Geert Jansen <geert@boskant.nl>

Prev by Date: Re: thread pools, performance
Next by Date: Re: thread pools, performance
Index(es):
- Chronological
- Thread