krb5_sname_to_principal or LDAP/SASL/GSSAPI and reverse DNS
Paul W. Nelson
nelson at thursby.com
Wed Apr 9 11:02:04 EDT 2003
One thing that would be great in the short term would be to allow
application writers to provide their own canonicalization function.
By default, any given krb5_context would use the stuff that is in
krb5_sname_to_principal.
Then provide a way to assign an external canonicalization function to the
context - one that would be provided by the application developer.
This would allow me to fix two problems at once:
1) I don't HAVE to rely on reverse name lookups
2) I can work around other problematic stuff in LDAP/SASL where that code
also does reverse lookups. The latest OpenLDAP reverse looks up a name
using 'getnameinfo'.
--
Paul W. Nelson
Thursby Software Systems, Inc.
> From: Sam Hartman <hartmans at mit.edu>
> Date: Tue, 08 Apr 2003 16:24:35 -0400
> To: "Paul W. Nelson" <nelson at thursby.com>
> Cc: krbdev <krbdev at mit.edu>
> Subject: Re: krb5_sname_to_principal or LDAP/SASL/GSSAPI and reverse DNS
>
>>>>>> "Paul" == Paul W Nelson <nelson at thursby.com> writes:
>
> Paul> Since krb5_mk_req calls krb5_sname_to_principal, is the call
> Paul> unavoidable?
>
> Yes.
>
> The krb5 hostname handling is a real mess and I'm not really sure what
> to do to clean it up.
>
> You have the following incompatible use cases:
>
> 1) People who want reverse resolution to work so that clustering
> works. I.E. dialup.university.edu will return some A record that
> you want to reverse resolve because it is some instance of
> dialup.university.edu.
>
>
> 2) People who have broken reverse DNS and who just want a forward lookup.
>
> 3) People who want no hostname canonicalization at all because they
> actually want security.
>
> Suggestions on how we can improve the mess greatly appreciated.
>
More information about the krbdev
mailing list