[Date Prev][Date Next]
Re: ldap_int_sasl_bind() and canonical Kerberos names
--On October 24, 2007 10:42:43 PM +0100 Simon Wilkinson <email@example.com>
The patch unconditionally disables hostname canonicalisation for
the sasl client.
I think this will break GSSAPI connections to LDAP servers that are
behind DNS round robin style load balancers.
Assume that you have 'ldap' that is a CNAME for ldap-1 and ldap2. The
LDAP library initiates a connection to 'ldap', and DNS points it to
'ldap-1'. Providing you ask SASL to set up a connection to 'ldap-1',
you're fine (this is what the code does at the moment). However, if you
ask the SASL library for a connection to 'ldap' (this is what your change
does, as far as I can tell), and the library does a canonicalisation step
(as most Kerberos implementations currently do), it will get 'ldap-2'
back from the DNS. So, you end up trying to negotiate a SASL connection
with 'ldap-2', when you're actually connected to 'ldap-1'. This tends not
Thanks! That'd completely destroy Stanford's setup. Ouch.
Principal Software Engineer
Zimbra :: the leader in open source messaging and collaboration