[SERVER-23723] LDAP Authorization on Linux with GSSAPI requires RDNS resolution to round robined LDAP servers Created: 14/Apr/16  Updated: 06/Dec/22

Status: Backlog
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Spencer Jackson Assignee: Backlog - Security Team
Resolution: Unresolved Votes: 1
Labels: ldap
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Assigned Teams:
Server Security
Sprint: Security 15 (06/03/16)
Participants:

 Description   

Because Active Directory Domain Controllers are responsible for a whole domain, the domain name will resolve them presumably round robin. By default, the domain does not have an SPN pointing to an LDAP server. This means, when OpenLDAP receives a referral to a subdomain in the forest, it will use the domain name to connect to a server which hosts the domain, and will be unable to GSSAPI bind to the server. This can be corrected by setting up PTR entries from each DC's IP address back to the correct hostname.

The Windows LDAP API does not require this. It seems likely that it performs a query for the RootDSE, to acquire the DNS name the server believe it operates under. Alternatively, it might be performing an SRV lookup of some kind. Either way, this suggests that reverse DNS resolvability might not be guaranteed in Windows environments. As such, the Linux LDAP authorization subsystem should try to operate in these conditions as well.



 Comments   
Comment by Spencer Jackson [ 23/Feb/18 ]

It turns out the GSSAPI_ALLOW_REMOTE_PRINCIPAL flag only has an effect when libldap is compiled with the GSSAPI module. The configure flag to make libldap compile the GSSAPI module has been removed since 2009.

Comment by Spencer Jackson [ 06/Jun/16 ]

I suspect this isn't as necessary as I initially believed. There appears to be a libldap configuration option which should allow it to do this for us. From the man pages:

       GSSAPI_ALLOW_REMOTE_PRINCIPAL <on/true/yes/off/false/no>
              Specifies if GSSAPI based authentication should try to form
              the target principal name out of the ldapServiceName or
              dnsHostName attribute of the targets RootDSE entry. The
              default is off.

This could still be valuable, but we should wait to see if there's demand first.

Generated at Thu Feb 08 04:04:17 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.