The Stanford OpenLDAP service relies almost exclusively on GSSAPI
authentication for its access control. This means clients doing LDAP
searches use Kerberos. Normally, Kerberos authentication depends on
specific DNS configuration.
Example: A client search
ldapsearch -h ldap.stanford.ed
On January 6, 2017 10:21:18 AM EST, Adam Lewenberg wrote:
>1. One option is to require all of customers to use Kerberos with the
>reverse DNS lookup disabled. How much extra risk do we take on by not
>using the reverse DNS check?
Security-wise, none at all. The reverse DNS lookup is not a feat
Jeffrey Hutzelman writes:
> The problem you may be more likely to run into is that the server might
> not actually be able to accept tickets for more than one service
> principal at a time. That is, it can be configured to accept the
> server's own principal name or the shared one, but not both.
That is recommended in any case. The service should have its own keytab, and
you control the allowed names by what's in the keytab. Much simpler coding as
well.
Personal email. hbh...@oxy.edu
> On Jan 6, 2017, at 9:13 AM, Russ Allbery wrote:
>
> Jeffrey Hutzelman writes:
>
>> The problem y