[Date Prev][Date Next]
RE: ldap_int_open_connection/sasl doesn't work when host has no reverse DNS lookup (ITS#2450)
> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of email@example.com
> One of my BETA testers at a site in the UK has a Windows
> Active Directory
> set up like this:
> Service records for _ldap._tcp.example.com:
> dc1.example.com = 192.168.0.50
> dc2.example.com = 192.168.1.50
> Reverse lookups provide PTR info
> 192.168.0.50 = dc1.example.co.uk
> 192.168.1.50 = dc2.example.co.uk
This is really a misconfigured domain; the forward and reverse lookups should
agree and CNAMEs should be used for the aliases.
> User wants to connect to ldap service for the domain. Uses
> ldap://dc1.example.com as the URL. LDAP library turns this into
> dc1.example.co.uk for the SASL stuff. GSSAPI is now trying
> to get service
> tickets for ldap/dc1.example.co.uk instead of ldap/dc1.example.com
> Two security problems with this:
> 1) You are relying on DNS for the security (instead of using
> the security
> principal specified by the USER, you have silently switched
> that to the one
> specified by DNS). DNS is easily spoofed.
Definitely a valid point. I think this is reason enough to eliminate this
behavior in OpenLDAP.
> 2) Mutual authentication is weakened because the service the
> user wanted isn't the one being authenticated.
It is weakened regardless due to the misconfiguration, but I think that's a
> I'm just finishing BETA test that included over 300 Microsoft Active
> Directory sites. I'd estimate that between 15-20 of these
> sites have DNS
> configurations that don't work with the current LDAP and MIT
> 1.3 releases
> because reverse lookups don't match SRV information.
That means that ~5% of your beta sites are misconfigured, while ~95% are
correct. That's not a bad figure really, and it shouldn't take much
effort/education to get that 5% whipped into shape. I don't see any
indication of broken software in this statistic, or any compelling reason to
change existing code based on this number.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support