Full_Name: Alexandr Nedvedicky Version: 2.46 OS: Solaris 11.3 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (141.143.193.76)

Disclaimer: I understand I'm asking for change, which might be disruptive for many OpenLDAP users.

The issue popped up as a fallout of transition from Mozilla LDAP to OpenLDAP. The mozilla ldap does not canonicalize hostname using DNS by default, while OpenLDAP does the exact opposite. Using DNS to canonicalize hosts to domain name opens potential attack vector via. DNS spoofing.

For example samba client opts out from name canonicalization, snippet comes from lib/libsmbns/common/smbns_ads.c: 1539 /* 1540 * smb_ads_open 1541 * 1542 * Open an LDAP connection to a discovered AD server for the specified domain. 1543 * Specify our capability to support LDAP_VERSION3 when binding to the AD 1544 * server. On success, returns an AD handle. Otherwise, returns NULL. 1545 * 1546 * By default, 'encrypt_ldap' property is set to B_TRUE. For debugging 1547 * purposes, it can be set to B_FALSE to disable LDAP encryption. 1548 * 1549 * Pre-condition: 1550 * A Kerberos TGT ticket must be found in ccache in order to acquire a LDAP 1551 * service ticket. 1552 * 1553 * Parameters: 1554 * domain - fully-qualified domain name 1555 */ 1556 static smb_ads_handle_t * 1557 smb_ads_open(char *domain) 1558 { .... 1590 (void) ldap_unbind(ld); 1591 return (NULL); 1592 } 1593 1594 (void) ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF); 1595 (void) ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON); 1596 1597 ah->ld = ld; 1598 ah->domain = strdup(domain); 1599 1600 if (ah->domain == NULL) { 1601 smb_ads_close(ah); 1602 smb_ads_free_host(ads_host); 1603 return (NULL); 1604 } 1605

I can't tell how other projects are handling/prefer handling of NOCANON option. The Solaris considers to tight the knob and say 'yes to NOCANON' in order to suppress hostname canonicalization.

As I've said I fully understand if you decide not to change the current default as the change might hurt many users. I just rather want to share our experience we got when switching from mozilla ldap to OpenLDAP.