Hi, all:
SASL binding is successful, but only for a fixed specific LDAP server. :-(
If the hostname is used for LDAP server, and the hostname is resolved by DNS
server to a series of IP address (usually serving as backup servers for the
primary one), then there is a possibility of using a TGT for host A to bind to
host B.
For example, I have come across the following situation:
==========================================================
1610 43.995272 157.55.143.63 157.54.14.162 DNS Standard query A
ntdev.corp.test.com
1611 43.996618 157.54.14.162 157.55.143.63 DNS Standard query response A
157.54.80.10 A 172.31.79.153
A 172.31.79.151 A 172.31.79.155 A 172.31.79.156 A
157.54.104.75 A 172.31.79.154
A 172.31.79.144 A 172.31.79.140 A 172.31.79.142 A
172.31.79.146 A 10.192.150.46
A 172.31.79.150 A 172.31.79.143
...
1615 43.999395 157.55.143.63 157.54.14.162 DNS Standard query A
ntdev.corp.test.com
1617 44.001772 157.54.14.162 157.55.143.63 DNS Standard query response A
172.31.79.153 A 172.31.79.151
A 172.31.79.155 A 172.31.79.156 A 157.54.104.75 A
172.31.79.154 A 172.31.79.144
A 172.31.79.140 A 172.31.79.142 A 172.31.79.146 A
10.192.150.46 A 172.31.79.150
A 172.31.79.143 A 157.54.80.10
1618 44.002698 157.55.143.63 157.54.14.162 DNS Standard query PTR
75.104.54.157.in-addr.arpa
1619 44.004056 157.54.14.162 157.55.143.63 DNS Standard query response PTR
ntdev-dc-04.ntdev.corp.test.com
...
1636 44.017783 157.55.143.63 157.54.80.10 LDAP bindRequest(1) "<ROOT>" sasl
sasl
Ticket
Server Name (Service and Host): ldap/ntdev-dc-04.ntdev.corp.test.com
==========================================================
In the configuration, the hostname "ntdev.corp.test.com" is set as the LDAP
server. But both 157.54.80.10 (ntdev-dc-01.ntdev.corp.test.com) and
157.54.104.75 (ntdev-dc-04.ntdev.corp.test.com) are in the list of resolved IP
addresses. Then, it uses the ticket acquired from 104.75 to bind to 80.10,
which generates an error KRB5KRB_AP_ERR_MODIFIED.
I guess the first DNS query is to get the IP address mapped to by LDAP server
hostname "ntdev.corp.test.com" and it gets 157.54.80.10 in front of
157.54.104.75, while the second DNS query (and the later reverse DNS query) is
to get TGT for use in SASL binding and it gets 157.54.104.75 in front of
157.54.80.10.
The madness is due to the unique environment in the customer's company that a
large list of servers are mapped to the same host name and the dynamic DNS
query results. The good trace happened when the DNS query results were
consistent. The customer doesn't want to use IP address or specific hostname
(like "ntdev-dc-01.ntdev.corp.test.com" or "ntdev-dc-04.ntdev.corp.test.com")
to configure their LDAP server, coz they are not fixed.
Is there any solution to this problem? I am at a loss at what to do, since
Mozilla LDAP library calls dealing with SASL binding doesn't directly involve
DNS stuff.
Looking forward to help,
Xu Qiang
_______________________________________________
dev-tech-ldap mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-ldap
