[SERVER-23723] LDAP Authorization on Linux with GSSAPI requires RDNS resolution to round robined LDAP servers Created: 14/Apr/16 Updated: 06/Dec/22 |
|
| Status: | Backlog |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Spencer Jackson | Assignee: | Backlog - Security Team |
| Resolution: | Unresolved | Votes: | 1 |
| Labels: | ldap | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Assigned Teams: |
Server Security
|
| Sprint: | Security 15 (06/03/16) |
| Participants: |
| Description |
|
Because Active Directory Domain Controllers are responsible for a whole domain, the domain name will resolve them presumably round robin. By default, the domain does not have an SPN pointing to an LDAP server. This means, when OpenLDAP receives a referral to a subdomain in the forest, it will use the domain name to connect to a server which hosts the domain, and will be unable to GSSAPI bind to the server. This can be corrected by setting up PTR entries from each DC's IP address back to the correct hostname. The Windows LDAP API does not require this. It seems likely that it performs a query for the RootDSE, to acquire the DNS name the server believe it operates under. Alternatively, it might be performing an SRV lookup of some kind. Either way, this suggests that reverse DNS resolvability might not be guaranteed in Windows environments. As such, the Linux LDAP authorization subsystem should try to operate in these conditions as well. |
| Comments |
| Comment by Spencer Jackson [ 23/Feb/18 ] | |||||
|
It turns out the GSSAPI_ALLOW_REMOTE_PRINCIPAL flag only has an effect when libldap is compiled with the GSSAPI module. The configure flag to make libldap compile the GSSAPI module has been removed since 2009. | |||||
| Comment by Spencer Jackson [ 06/Jun/16 ] | |||||
|
I suspect this isn't as necessary as I initially believed. There appears to be a libldap configuration option which should allow it to do this for us. From the man pages:
This could still be valuable, but we should wait to see if there's demand first. |