[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap_int_sasl_bind() and canonical Kerberos names

--On October 24, 2007 10:42:43 PM +0100 Simon Wilkinson <simon@sxw.org.uk> wrote:

The patch unconditionally disables hostname canonicalisation for the sasl client.

I think this will break GSSAPI connections to LDAP servers that are behind DNS round robin style load balancers.

Assume that you have 'ldap' that is a CNAME for ldap-1 and ldap2. The
LDAP library initiates a connection to 'ldap', and DNS points it to
'ldap-1'. Providing you ask SASL to set up a connection to 'ldap-1',
you're fine (this is what the code does at the moment). However, if you
ask the SASL library for a connection to 'ldap' (this is what your change
does, as far as I can tell), and the library does a canonicalisation step
(as most Kerberos implementations currently do), it will get 'ldap-2'
back from the DNS. So, you end up trying to negotiate a SASL connection
with 'ldap-2', when you're actually connected to 'ldap-1'. This tends not
to work.


Thanks!  That'd completely destroy Stanford's setup.  Ouch.



Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
Zimbra ::  the leader in open source messaging and collaboration