On 04/05/2013 08:53 PM, Simo Sorce wrote:
On Fri, 2013-04-05 at 09:51 -0600, Rich Megginson wrote:
On 04/05/2013 08:41 AM, Simo Sorce wrote:
On Fri, 2013-04-05 at 08:30 -0600, Brent Clark wrote:
You were correct, my reverse DNS entries for the master and replica
were missing. Odd, since they both existed at one point.
Rob,
I think we should open a ticket against 389ds, we should never depend on
PTR records.

In this case I believe the ldap libraries are at fault since they now
force SASL canonicalization on which is know to be broken for gssapi as
it causes reverse resolution.

Rich do you set LDAP_OPT_X_SASL_NOCANON in 389ds code at all ?
Yes.
ldap/servers/slapd/ldaputil.c:    ldap_set_option(ld,
LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
I looked at the code, and this is called only if the env variable
HACK_SASL_NOCANON is set.

I think this should be the default instead.

Should this be off by default?  Should this be configurable?
Maybe make it configurable, I do not have a strong love for 1M knobs,
but it should be on by default, relying on reverse resolution defeats
mutual authentication through very simple DNS attacks. See this blog
post for details: http://ssimo.org/blog/id_015.html
https://fedorahosted.org/389/ticket/47317

Simo.


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to