On Fri, 2013-04-05 at 09:51 -0600, Rich Megginson wrote: > On 04/05/2013 08:41 AM, Simo Sorce wrote: > > On Fri, 2013-04-05 at 08:30 -0600, Brent Clark wrote: > >> You were correct, my reverse DNS entries for the master and replica > >> were missing. Odd, since they both existed at one point. > > > > Rob, > > I think we should open a ticket against 389ds, we should never depend on > > PTR records. > > > > In this case I believe the ldap libraries are at fault since they now > > force SASL canonicalization on which is know to be broken for gssapi as > > it causes reverse resolution. > > > > Rich do you set LDAP_OPT_X_SASL_NOCANON in 389ds code at all ? > Yes. > ldap/servers/slapd/ldaputil.c: ldap_set_option(ld, > LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
I looked at the code, and this is called only if the env variable HACK_SASL_NOCANON is set. I think this should be the default instead. > Should this be off by default? Should this be configurable? Maybe make it configurable, I do not have a strong love for 1M knobs, but it should be on by default, relying on reverse resolution defeats mutual authentication through very simple DNS attacks. See this blog post for details: http://ssimo.org/blog/id_015.html Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users