Joel Johnson wrote:
I've been having issues with SASL and having the hostname canonicalized in two places, once in OpenLDAP's SASL code, and again in the SASL provider (GSSAPI) library. I'm able to disable the SASL mechanism step, but it is mandatory in current OpenLDAP code.
I found discussion from a few months ago surrounding the submittal of a patch to disable hostname canonicalization [1]. The issue appeared to be settled with discussion of a single use case where the URI references a CNAME which redirects to one of several machines in a cluster, in which case the canonicalization needs to be done to relate to the actual machine connected to. I agree that in such a situation, the canonicalization is required.
I have one of many imaginable use cases, however, where the canonicalization is strictly must *not* occur in order for proper function. Two cases that I have personally, I'm sure there are others that are similiar:
- On my home network I wish to use OpenLDAP, but my local server is on a
DSL connection and I have no control over the DNS PTR records, and as such the records are effectively meaningless to the operation of my system. I do impose the requirement of mandatory TLS (via security ssf=128) which in and of itself provides stonger server authentication than name canonicalization via reverse DNS.
On my home network I used /etc/hosts for a while, now I just run my own caching DNS and make it primary for my subnet.
I propose that this would be a very valuable option, especially since there are cases where name canonicalization is infeasible if not impossible, as well as the fact that combined with TLS stronger server authentication is available. To use GSSAPI with SASL, it should also be noted that the more recent Kerberos RFCs have specifically required that reverse DNS *not* be used [3]. I'm looking for comments on the viability of such a patch being included in the base software, as well as comments on the patch itself.
No. RFC4120 says that *insecure name services* should not be used for canonicalization. On my machines, the local /etc/hosts file is a secure name service. Likewise, my local DNS server is secure. You're focusing on the wrong part of this RFC text. Secure your name service providers.
Thanks, Joel Johnson
[1] http://www.openldap.org/lists/openldap-devel/200710/msg00088.html [2] http://www.lixil.net/~mrjoel/contrib/openldap/sasl-canonicalization-configur... [3] RFC 4120 - "Implementations of Kerberos and protocols based on Kerberos MUST NOT use insecure DNS queries to canonicalize the hostname components of the service principal names"