Passing options to Perl module GSSAPI is a bit clunky but doable.

It’s no secret I’m messing with Net::LDAP and Kerberos too, which means using Authen::SASL with a GSSAPI mechanism.

Confused? Well, I was, and I probably still am - although possibly a bit less. More on this in some future post, anyway.

One specific problem I encountered while trying to make the example (local version here) work was about some automatic DNS resolutions and canonicalization actions performed by the library, which make working with the FreeIPA demo impossible

See also the ASCII-cast in Trying Kerberos. The need to add command-line option -N to ldapsearch stems from the same reason.

There seems to be no place where to put additional options in the GSSAPI bindings, and probably in the whole GSSAPI thing, which is a generic mechanism that might be tied to Kerberos, but not necessarily.

One way to get those options in place is through a configuration file, which the library goes to look for based on environment variable KRB5_CONFIG. In my case, to disable the annoyance it sufficed to do this:

$ export KRB5_CONFIG="$PWD/custom-krb5.conf"
$ cat > "$KRB5_CONFIG" <<'END'
dns_canonicalize_hostname = false
default_ccache_name = MEMORY

Actually… only disabling dns_canonicalize_hostname was needed to make the example work, but I decided to avoid cluttering the filesystem anyway 😅

Now I’m left wandering how many security pitfalls are hidden in this intricate way of setting a few options… 🤯 I’ll probably go look into ldapsearch to see what they do.

Stay safe folks!