On 04/05/2013 01:50 PM, Rich Megginson wrote: > On 04/05/2013 11:49 AM, Simo Sorce wrote: >> On Fri, 2013-04-05 at 09:51 -0600, Rich Megginson wrote: >>> On 04/05/2013 08:41 AM, Simo Sorce wrote: >>>> On Fri, 2013-04-05 at 08:30 -0600, Brent Clark wrote: >>>>> You were correct, my reverse DNS entries for the master and replica >>>>> were missing. Odd, since they both existed at one point. >>>> Rob, >>>> I think we should open a ticket against 389ds, we should never >>>> depend on >>>> PTR records. >>>> >>>> In this case I believe the ldap libraries are at fault since they now >>>> force SASL canonicalization on which is know to be broken for >>>> gssapi as >>>> it causes reverse resolution. >>>> >>>> Rich do you set LDAP_OPT_X_SASL_NOCANON in 389ds code at all ? >>> Yes. >>> ldap/servers/slapd/ldaputil.c: ldap_set_option(ld, >>> LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON); >>> >>> Should this be off by default? Should this be configurable? >> On by default (meaning no canonicalization is performed) is the coreect >> behavior. >> >> I do not think we need it to be configurable for now. >> >> But it puzles me then as to why Brent sees a failure w/o ptr records. >> >> Does DS do reverse resolution of replication peers somewhere ? > Not explicitly, no, but probably somewhere inside openldap.
Can it be that SASL layer does it? > >> >> Simo. >> > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
