On 04/05/2013 01:50 PM, Rich Megginson wrote:
> On 04/05/2013 11:49 AM, Simo Sorce wrote:
>> On Fri, 2013-04-05 at 09:51 -0600, Rich Megginson wrote:
>>> On 04/05/2013 08:41 AM, Simo Sorce wrote:
>>>> On Fri, 2013-04-05 at 08:30 -0600, Brent Clark wrote:
>>>>> You were correct, my reverse DNS entries for the master and replica
>>>>> were missing. Odd, since they both existed at one point.
>>>> I think we should open a ticket against 389ds, we should never
>>>> depend on
>>>> PTR records.
>>>> In this case I believe the ldap libraries are at fault since they now
>>>> force SASL canonicalization on which is know to be broken for
>>>> gssapi as
>>>> it causes reverse resolution.
>>>> Rich do you set LDAP_OPT_X_SASL_NOCANON in 389ds code at all ?
>>> ldap/servers/slapd/ldaputil.c: ldap_set_option(ld,
>>> LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
>>> Should this be off by default? Should this be configurable?
>> On by default (meaning no canonicalization is performed) is the coreect
>> I do not think we need it to be configurable for now.
>> But it puzles me then as to why Brent sees a failure w/o ptr records.
>> Does DS do reverse resolution of replication peers somewhere ?
> Not explicitly, no, but probably somewhere inside openldap.
Can it be that SASL layer does it?
> Freeipa-users mailing list
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list