[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldap_int_open_connection/sasl doesn't work when host has no reverse DNS lookup (ITS#2450)

Full_Name: Paul Nelson
Version: 2.1.17
OS: Mac OS X
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

ldap_int_open_connection handles connecting to a host using the host's DNS
Unfortunately, it causes a reverse lookup to be performed in
ldap_host_connected_to, and that result gets passed to ldap_int_sasl_open.

The sasl layer should be wholly responsible for any name canonicalization.  Name
canonicalization using reverse DNS lookups is known to be a bad thing for
krb5/gssapi, and could cause security problems.

Changes to Kerberos are being discussed that would allow use of gssapi/krb5
without reverse name lookups.  You may wish to contact Sam Hartman
<hartmans@MIT.EDU> regarding this issue and SASL/gssapi issues.

In addition, it simply breaks in many sites using Active Directory, where the AD
domain controllers don't have reverse lookup entries.  In this scenario, the
domain controller names are returned by looking up the service records for ldap:
 _ldap._tcp.domain.org  The names returned are the Kerberos service principal
names.  If reverse lookups are done on these names, the lookups may fail, or
return different names that are NOT the server's kerberos principal name.