Bug#573596: [rt.cpan.org #58478] SASL-related host canonicalisation misfeature

[Russ Allbery]

Dominic Hargreaves <dom at earth.li> writes:

> And just to make explicit, there is a suggested improvement in the
> Debian BTS:

>     # If we're talking to a round-robin, the canonical name of
>     # the host we are talking to might not match the name we
>     # requested
>     my $connected_ip = $ldap->{net_ldap_socket}->peeraddr;
>     my $connected_domain = $ldap->{net_ldap_socket}->sockdomain;
>     my $connected_name = gethostbyaddr($connected_ip, $connected_domain);
>     $connected_name ||= $ldap->{net_ldap_host};

Graham, the current code cannot possibly work with Kerberos GSS-API SASL
authentications.  Here's what it currently says:

      # If we're talking to a round-robin, the canonical name of
      # the host we are talking to might not match the name we
      # requested
      my $connected_name = $ldap->{net_ldap_socket}->peerhost;
      $connected_name ||= $ldap->{net_ldap_host};

And from IO::Socket::INET:

    peerhost ()
        Return the address part of the sockaddr structure for the socket on
        the peer host in a text form xx.xx.xx.xx

You cannot do a Kerberos SASL authentication to an IP address.  It will
never work; Kerberos doesn't support it.  Kerberos requires a hostname.
So setting the connected name to an IP address will always, always fail if
you're using GSS-API authentication.

Right now, everyone who wants to use Net::LDAP with Kerberos GSS-API
authentication needs to patch Net::LDAP; otherwise, the module is
completely unusable if that's the required authentication mechanism.

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>