On Fri, 2013-04-05 at 09:51 -0600, Rich Megginson wrote:
> On 04/05/2013 08:41 AM, Simo Sorce wrote:
> > On Fri, 2013-04-05 at 08:30 -0600, Brent Clark wrote:
> >> You were correct, my reverse DNS entries for the master and replica
> >> were missing. Odd, since they both existed at one point.
> > Rob,
> > I think we should open a ticket against 389ds, we should never depend on
> > PTR records.
> > In this case I believe the ldap libraries are at fault since they now
> > force SASL canonicalization on which is know to be broken for gssapi as
> > it causes reverse resolution.
> > Rich do you set LDAP_OPT_X_SASL_NOCANON in 389ds code at all ?
> ldap/servers/slapd/ldaputil.c: ldap_set_option(ld,
> LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
I looked at the code, and this is called only if the env variable
HACK_SASL_NOCANON is set.
I think this should be the default instead.
> Should this be off by default? Should this be configurable?
Maybe make it configurable, I do not have a strong love for 1M knobs,
but it should be on by default, relying on reverse resolution defeats
mutual authentication through very simple DNS attacks. See this blog
post for details: http://ssimo.org/blog/id_015.html
Simo Sorce * Red Hat, Inc * New York
Freeipa-users mailing list