[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8870) SASL_NOCANON changing default to ON

To: openldap-its@OpenLDAP.org
Subject: (ITS#8870) SASL_NOCANON changing default to ON
From: alexandr.nedvedicky@oracle.com
Date: Fri, 22 Jun 2018 20:01:48 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Alexandr Nedvedicky
Version: 2.46
OS: Solaris 11.3
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (141.143.193.76)


Disclaimer: I understand I'm asking for change, which might be disruptive for
many OpenLDAP users.

The issue popped up as a fallout of transition from Mozilla LDAP to OpenLDAP.
The mozilla ldap does not canonicalize hostname using DNS by default, while
OpenLDAP
does the exact opposite. Using DNS to canonicalize hosts to domain name opens
potential attack vector via. DNS spoofing.

For example samba client opts out from name canonicalization,
snippet comes from lib/libsmbns/common/smbns_ads.c:
1539  /*
1540   * smb_ads_open
1541   *
1542   * Open an LDAP connection to a discovered AD server for the specified
domain.
1543   * Specify our capability to support LDAP_VERSION3 when binding to the AD
1544   * server. On success, returns an AD handle. Otherwise, returns NULL.
1545   *
1546   * By default, 'encrypt_ldap' property is set to B_TRUE. For debugging
1547   * purposes, it can be set to B_FALSE to disable LDAP encryption.
1548   *
1549   * Pre-condition:
1550   *   A Kerberos TGT ticket must be found in ccache in order to acquire a
LDAP
1551   *   service ticket.
1552   *
1553   * Parameters:
1554   *   domain - fully-qualified domain name
1555   */
1556  static smb_ads_handle_t *
1557  smb_ads_open(char *domain)
1558  {
....
1590  		(void) ldap_unbind(ld);
1591  		return (NULL);
1592  	}
1593  
1594  	(void) ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
1595  	(void) ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
1596  
1597  	ah->ld = ld;
1598  	ah->domain = strdup(domain);
1599  
1600  	if (ah->domain == NULL) {
1601  		smb_ads_close(ah);
1602  		smb_ads_free_host(ads_host);
1603  		return (NULL);
1604  	}
1605  

I can't tell how other projects are handling/prefer handling of NOCANON
option. The Solaris considers to tight the knob and say 'yes to NOCANON'
in order to suppress hostname canonicalization.

As I've said I fully understand if you decide not to change the current
default as the change might hurt many users. I just rather want to share
our experience we got when switching from mozilla ldap to OpenLDAP.

Prev by Date: (ITS#8869) Gentoo QA notice
Next by Date: Re: (ITS#8870) SASL_NOCANON changing default to ON
Index(es):
- Chronological
- Thread