krb5_sname_to_principal or LDAP/SASL/GSSAPI and reverse DNS

Paul W. Nelson nelson at
Wed Apr 9 11:02:04 EDT 2003

One thing that would be great in the short term would be to allow
application writers to provide their own canonicalization function.

By default, any given krb5_context would use the stuff that is in

Then provide a way to assign an external canonicalization function to the
context - one that would be provided by the application developer.

This would allow me to fix two problems at once:
1) I don't HAVE to rely on reverse name lookups
2) I can work around other problematic stuff in LDAP/SASL where that code
also does reverse lookups.  The latest OpenLDAP reverse looks up a name
using 'getnameinfo'.

Paul W. Nelson
Thursby Software Systems, Inc.

> From: Sam Hartman <hartmans at>
> Date: Tue, 08 Apr 2003 16:24:35 -0400
> To: "Paul W. Nelson" <nelson at>
> Cc: krbdev <krbdev at>
> Subject: Re: krb5_sname_to_principal or LDAP/SASL/GSSAPI and reverse DNS
>>>>>> "Paul" == Paul W Nelson <nelson at> writes:
>   Paul> Since krb5_mk_req calls krb5_sname_to_principal, is the call
>   Paul> unavoidable?
> Yes.
> The krb5 hostname handling is a real mess and I'm not really sure what
> to do to clean it up.
> You have the following incompatible use cases:
> 1) People who want reverse resolution to work so that clustering
>  works.  I.E. will return some A record that
>  you want to reverse resolve because it is some instance of
> 2) People who have broken reverse DNS and who just want a forward lookup.
> 3) People who want no hostname canonicalization at all because they
>   actually want security.
> Suggestions on how we can improve the mess greatly appreciated.

More information about the krbdev mailing list