On 04/05/2013 01:50 PM, Rich Megginson wrote:
> On 04/05/2013 11:49 AM, Simo Sorce wrote:
>> On Fri, 2013-04-05 at 09:51 -0600, Rich Megginson wrote:
>>> On 04/05/2013 08:41 AM, Simo Sorce wrote:
>>>> On Fri, 2013-04-05 at 08:30 -0600, Brent Clark wrote:
>>>>> You were correct, my reverse DNS entries for the master and replica
>>>>> were missing. Odd, since they both existed at one point.
>>>> Rob,
>>>> I think we should open a ticket against 389ds, we should never
>>>> depend on
>>>> PTR records.
>>>>
>>>> In this case I believe the ldap libraries are at fault since they now
>>>> force SASL canonicalization on which is know to be broken for
>>>> gssapi as
>>>> it causes reverse resolution.
>>>>
>>>> Rich do you set LDAP_OPT_X_SASL_NOCANON in 389ds code at all ?
>>> Yes.
>>> ldap/servers/slapd/ldaputil.c:    ldap_set_option(ld,
>>> LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
>>>
>>> Should this be off by default?  Should this be configurable?
>> On by default (meaning no canonicalization is performed) is the coreect
>> behavior.
>>
>> I do not think we need it to be configurable for now.
>>
>> But it puzles me then as to why Brent sees a failure w/o ptr records.
>>
>> Does DS do reverse resolution of replication peers somewhere ?
> Not explicitly, no, but probably somewhere inside openldap.

Can it be that SASL layer does it?

>
>>
>> Simo.
>>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to