On 04/05/2013 11:49 AM, Simo Sorce wrote:
On Fri, 2013-04-05 at 09:51 -0600, Rich Megginson wrote:
On 04/05/2013 08:41 AM, Simo Sorce wrote:
On Fri, 2013-04-05 at 08:30 -0600, Brent Clark wrote:
You were correct, my reverse DNS entries for the master and replica
were missing. Odd, since they both existed at one point.
Rob,
I think we should open a ticket against 389ds, we should never depend on
PTR records.

In this case I believe the ldap libraries are at fault since they now
force SASL canonicalization on which is know to be broken for gssapi as
it causes reverse resolution.

Rich do you set LDAP_OPT_X_SASL_NOCANON in 389ds code at all ?
Yes.
ldap/servers/slapd/ldaputil.c:    ldap_set_option(ld,
LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);

Should this be off by default?  Should this be configurable?
On by default (meaning no canonicalization is performed) is the coreect
behavior.

I do not think we need it to be configurable for now.

But it puzles me then as to why Brent sees a failure w/o ptr records.

Does DS do reverse resolution of replication peers somewhere ?
Not explicitly, no, but probably somewhere inside openldap.

Simo.


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to