Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-23723

LDAP Authorization on Linux with GSSAPI requires RDNS resolution to round robined LDAP servers



    • Improvement
    • Status: Backlog
    • Major - P3
    • Resolution: Unresolved
    • None
    • None
    • Security
    • Security
    • Security 15 (06/03/16)


      Because Active Directory Domain Controllers are responsible for a whole domain, the domain name will resolve them presumably round robin. By default, the domain does not have an SPN pointing to an LDAP server. This means, when OpenLDAP receives a referral to a subdomain in the forest, it will use the domain name to connect to a server which hosts the domain, and will be unable to GSSAPI bind to the server. This can be corrected by setting up PTR entries from each DC's IP address back to the correct hostname.

      The Windows LDAP API does not require this. It seems likely that it performs a query for the RootDSE, to acquire the DNS name the server believe it operates under. Alternatively, it might be performing an SRV lookup of some kind. Either way, this suggests that reverse DNS resolvability might not be guaranteed in Windows environments. As such, the Linux LDAP authorization subsystem should try to operate in these conditions as well.




            backlog-server-security Backlog - Security Team
            spencer.jackson@mongodb.com Spencer Jackson
            1 Vote for this issue
            7 Start watching this issue