Quanah Gibson-Mount wrote:
I certainly agree there. ;) My response was really geared to what Jack
had stated though, because that bit really didn't seem correct to me. ;)
Not entirely correct in OpenLDAP's case - although there are undoubtedly
some applications that do what Jack suggests.
In Kerberos's eyes its up to the application to determine the service
princpal it should use. Different applications take different approaches
to this.
OpenLDAP's is somewhat complicated as it passes through SASL and GSSAPI
before getting to Kerberos properly. SASL composes the GSSAPI acceptor
name (equivalent to the Kerberos service prinicpal) from the service name
and FQDN passed in by the calling application. OpenLDAP sets the service
name to 'ldap', and if you've set the 'sasl-host' directive uses that for
the FQDN.
It's if sasl-host isn't set that things become interesting. When
sasl-host is unset, the hostname is determined through the
ldap_pvt_get_fqdn function. This uses the gethostname() call to get the
machine's hostname, and then gethostbyname() to turn it into the FQDN.
gethostbyname() potentially uses the resolver to work out the fully
qualified hostname.