[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ldap_int_open_connection/sasl doesn't work when host has no reverse DNS lookup (ITS#2450)

> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of nelson@thursby.com

> One of my BETA testers at a site in the UK has a Windows
> Active Directory
> set up like this:
>     Service records for _ldap._tcp.example.com:
>         dc1.example.com
>         dc2.example.com
>    dc1.example.com =
>    dc2.example.com =
>     Reverse lookups provide PTR info
> = dc1.example.co.uk
> = dc2.example.co.uk

This is really a misconfigured domain; the forward and reverse lookups should
agree and CNAMEs should be used for the aliases.

> User wants to connect to ldap service for the domain.  Uses
> ldap://dc1.example.com as the URL.  LDAP library turns this into
> dc1.example.co.uk for the SASL stuff.  GSSAPI is now trying
> to get service
> tickets for ldap/dc1.example.co.uk instead of ldap/dc1.example.com
> Two security problems with this:
> 1) You are relying on DNS for the security (instead of using
> the security
> principal specified by the USER, you have silently switched
> that to the one
> specified by DNS).  DNS is easily spoofed.

Definitely a valid point. I think this is reason enough to eliminate this
behavior in OpenLDAP.

> 2) Mutual authentication is weakened because the service the
> user wanted isn't the one being authenticated.

It is weakened regardless due to the misconfiguration, but I think that's a
moot point.

> I'm just finishing BETA test that included over 300 Microsoft Active
> Directory sites.  I'd estimate that between 15-20 of these
> sites have DNS
> configurations that don't work with the current LDAP and MIT
> 1.3 releases
> because reverse lookups don't match SRV information.

That means that ~5% of your beta sites are misconfigured, while ~95% are
correct. That's not a bad figure really, and it shouldn't take much
effort/education to get that 5% whipped into shape. I don't see any
indication of broken software in this statistic, or any compelling reason to
change existing code based on this number.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support