[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5812) New option to disable SASL host canonicalization

geert@boskant.nl wrote:
> Full_Name: Geert Jansen
> Version: 2.4
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/geert-jansen-081115.patch
> Submission from: (NULL) (
> This is a resubmission of my earlier patch in [1]. I'm asking for this patch to
> be included into OpenLDAP.
> The patch adds an LDAP option called LDAP_OPT_X_SASL_NOCANON to disable host
> name canonicalization using reverse DNS for the host name that is passed into
> SASL. Instead, it passes verbatim the host name part from the LDAP URI and lets
> SASL do the canonicalization. The option is disabled by default.

> Since some time MIT Kerberos has support for server-side canonicalization which
> is an alternative for the DNS based scheme. By default it uses both, but with an
> option "rdns = no", reverse DNS can be disabled.
> The use case for this is environments that do not have reverse DNS set up
> correctly. Especially in Windows Active Directory environments this is very
> common. Administrators are afraid to enable scavenging for their zones, and
> therefore any server IP change will leave a stale PTR record in place. This
> breaks reverse DNS based canonicalization if the IP adress is reassigned.
> The behaviour enabled by this patch should remain optional and cannot become the
> default. It breaks the use case when multiple LDAP servers are load balanced
> using a CNAME record.

In reviewing this patch, I see some technical issues to resolve:

1) You seem to be making the ldap_set_option "arg" parameter optional; there 
appears to be no justification for this (significant) behavioral change.

2) If you're dealing with a KDC that supports this feature, then it would make 
the most sense for this to be a site-wide option. As such, it should be 
possible for the setting to become the default, and an ldap.conf keyword 
should exist to control that setting.

3) Your addition of the option to the command line tools is boolean; if the 
command line option is present the option will be turned on, otherwise it will 
be turned off. This requires too much knowledge on the part of the user 
running the tool, to decide whether they need the option or not. Again, it 
should allow a system-wide setting, and the command-line option should be 
tri-state: on / off / default.

Users should not be required to learn about this option before using the 
commandline tools, the sysadmin should set it site-wide when the KDC is known 
to support it.
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/