Details
-
Improvement
-
Resolution: Done
-
Major - P3
-
None
-
None
-
None
Description
This is a follow-on to SERVER-8479.
If the server reports both the sasl service name and host name via ismaster, and alter to use the result of ismaster when doing GSSAPI authentication, then GSSAPI could be used for authentication in environments without complete DNS setups.
Drivers would need a hook to let the client application decide if it was willing to authenticate to the principal reported by ismaster. However, since security conscious consumers will already be validating the server's SSL certificate, they should already trust the server by the time they're using ismaster to find out its GSSAPI identity.