Re: ldap_int_sasl_bind() and canonical Kerberos names

[Quanah Gibson-Mount <quanah@zimbra.com>]

--On October 24, 2007 10:42:43 PM +0100 Simon Wilkinson <simon@sxw.org.uk> 
wrote:

> > The patch unconditionally disables hostname canonicalisation for
> > the sasl client.
>
> I think this will break GSSAPI connections to LDAP servers that are
> behind DNS round robin style load balancers.
>
> Assume that you have 'ldap' that is a CNAME for ldap-1 and ldap2. The
> LDAP library initiates a connection to 'ldap', and DNS points it to
> 'ldap-1'. Providing you ask SASL to set up a connection to 'ldap-1',
> you're fine (this is what the code does at the moment). However, if you
> ask the SASL library for a connection to 'ldap' (this is what your change
> does, as far as I can tell), and the library does a canonicalisation step
> (as most Kerberos implementations currently do), it will get 'ldap-2'
> back from the DNS. So, you end up trying to negotiate a SASL connection
> with 'ldap-2', when you're actually connected to 'ldap-1'. This tends not
> to work.

Simon,

Thanks!  That'd completely destroy Stanford's setup.  Ouch.

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration