On Fri, 2013-04-05 at 09:51 -0600, Rich Megginson wrote:
> On 04/05/2013 08:41 AM, Simo Sorce wrote:
> > On Fri, 2013-04-05 at 08:30 -0600, Brent Clark wrote:
> >> You were correct, my reverse DNS entries for the master and replica
> >> were missing. Odd, since they both existed at one point.
> >
> > Rob,
> > I think we should open a ticket against 389ds, we should never depend on
> > PTR records.
> >
> > In this case I believe the ldap libraries are at fault since they now
> > force SASL canonicalization on which is know to be broken for gssapi as
> > it causes reverse resolution.
> >
> > Rich do you set LDAP_OPT_X_SASL_NOCANON in 389ds code at all ?
> Yes.
> ldap/servers/slapd/ldaputil.c:    ldap_set_option(ld, 

I looked at the code, and this is called only if the env variable

I think this should be the default instead.

> Should this be off by default?  Should this be configurable?

Maybe make it configurable, I do not have a strong love for 1M knobs,
but it should be on by default, relying on reverse resolution defeats
mutual authentication through very simple DNS attacks. See this blog
post for details: http://ssimo.org/blog/id_015.html


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to