[Freeipa-users] Replication Issue

[Rich Megginson]

On 04/05/2013 08:53 PM, Simo Sorce wrote:
> On Fri, 2013-04-05 at 09:51 -0600, Rich Megginson wrote:
>> On 04/05/2013 08:41 AM, Simo Sorce wrote:
>>> On Fri, 2013-04-05 at 08:30 -0600, Brent Clark wrote:
>>>> You were correct, my reverse DNS entries for the master and replica
>>>> were missing. Odd, since they both existed at one point.
>>> Rob,
>>> I think we should open a ticket against 389ds, we should never depend on
>>> PTR records.
>>>
>>> In this case I believe the ldap libraries are at fault since they now
>>> force SASL canonicalization on which is know to be broken for gssapi as
>>> it causes reverse resolution.
>>>
>>> Rich do you set LDAP_OPT_X_SASL_NOCANON in 389ds code at all ?
>> Yes.
>> ldap/servers/slapd/ldaputil.c:    ldap_set_option(ld,
>> LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
> I looked at the code, and this is called only if the env variable
> HACK_SASL_NOCANON is set.
>
> I think this should be the default instead.
>
>> Should this be off by default?  Should this be configurable?
> Maybe make it configurable, I do not have a strong love for 1M knobs,
> but it should be on by default, relying on reverse resolution defeats
> mutual authentication through very simple DNS attacks. See this blog
> post for details: http://ssimo.org/blog/id_015.html
https://fedorahosted.org/389/ticket/47317
>
> Simo.
>