[Date Prev][Date Next]
(ITS#5812) New option to disable SASL host canonicalization
Full_Name: Geert Jansen
Submission from: (NULL) (220.127.116.11)
This is a resubmission of my earlier patch in . I'm asking for this patch to
be included into OpenLDAP.
The patch adds an LDAP option called LDAP_OPT_X_SASL_NOCANON to disable host
name canonicalization using reverse DNS for the host name that is passed into
SASL. Instead, it passes verbatim the host name part from the LDAP URI and lets
SASL do the canonicalization. The option is disabled by default.
Kerberos requires a canonical host name to work. Traditionally, host name
canonicalization has been done using reverse DNS. However, this is problematic.
See the comment below from the MIT Kerberos source on this subject:
/* XXX: This is *so* bogus. There are several cases where
this won't get us the canonical name of the host, but
this is what we've trained people to expect. We'll
probably fix it at some point, but let's try to
preserve the current behavior and only shake things up
once when it comes time to fix this lossage. */
Since some time MIT Kerberos has support for server-side canonicalization which
is an alternative for the DNS based scheme. By default it uses both, but with an
option "rdns = no", reverse DNS can be disabled.
The use case for this is environments that do not have reverse DNS set up
correctly. Especially in Windows Active Directory environments this is very
common. Administrators are afraid to enable scavenging for their zones, and
therefore any server IP change will leave a stale PTR record in place. This
breaks reverse DNS based canonicalization if the IP adress is reassigned.
The behaviour enabled by this patch should remain optional and cannot become the
default. It breaks the use case when multiple LDAP servers are load balanced
using a CNAME record.