On Fri, 05 Apr 2013, Dmitri Pal wrote:
On 04/05/2013 01:50 PM, Rich Megginson wrote:
On 04/05/2013 11:49 AM, Simo Sorce wrote:
On Fri, 2013-04-05 at 09:51 -0600, Rich Megginson wrote:
On 04/05/2013 08:41 AM, Simo Sorce wrote:
On Fri, 2013-04-05 at 08:30 -0600, Brent Clark wrote:
You were correct, my reverse DNS entries for the master and replica
were missing. Odd, since they both existed at one point.
Rob,
I think we should open a ticket against 389ds, we should never
depend on
PTR records.

In this case I believe the ldap libraries are at fault since they now
force SASL canonicalization on which is know to be broken for
gssapi as
it causes reverse resolution.

Rich do you set LDAP_OPT_X_SASL_NOCANON in 389ds code at all ?
Yes.
ldap/servers/slapd/ldaputil.c:    ldap_set_option(ld,
LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);

Should this be off by default?  Should this be configurable?
On by default (meaning no canonicalization is performed) is the coreect
behavior.

I do not think we need it to be configurable for now.

But it puzles me then as to why Brent sees a failure w/o ptr records.

Does DS do reverse resolution of replication peers somewhere ?
Not explicitly, no, but probably somewhere inside openldap.

Can it be that SASL layer does it?
By default libldap does canonicalization of hostnames. Disabling
canonicalization is a boolean option which has to be set and by default
libldap initializes all boolean options to false except referrals
handling.

If LDAP_OPT_X_SASL_NOCANON is not set explicitly, it is never set by
libldap itself.

--
/ Alexander Bokovoy

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to