The attached patch against 0.35 fixes an obscure problem with Net::LDAP
when talking to a round-robin LDAP server(s) using SASL/GSSAPI
authentication.
Without it, the SASL layer is passed the round-robin name, but if, when
the SASL/GSSAPI layer attempts to canonicalise the address, it resolves
to a different host to the one IO::Socket used for its connection, a
service ticket for a conflicting server will be requested, and
authentication will fail.
The patched version has been tested with SASL GSSAPI binds to
round-robin and non round-robin addresses.
Please consider this for inclusion in the next Net::LDAP release.
Thanks,
Dominic
--
Dominic Hargreaves, Systems Development and Support Team
Computing Services, University of Oxford
diff -urN perl-ldap-0.35/lib/Net/LDAP.pm perl-ldap-0.35.mine/lib/Net/LDAP.pm
--- perl-ldap-0.35/lib/Net/LDAP.pm 2008-03-30 19:50:13.000000000 +0100
+++ perl-ldap-0.35.mine/lib/Net/LDAP.pm 2008-04-18 17:15:54.000000000 +0100
@@ -377,9 +377,16 @@
if $ldap->{net_ldap_version} < 3;
my $sasl = $passwd;
+
+ # If we're talking to a round-robin, the canonical name of
+ # the host we are talking to might not match the name we
+ # requested
+ my $connected_name = $ldap->{net_ldap_socket}->peerhost;
+ $connected_name ||= $ldap->{net_ldap_host};
+
my $sasl_conn = eval {
local($SIG{__DIE__});
- $sasl->client_new("ldap",$ldap->{net_ldap_host});
+ $sasl->client_new("ldap",$connected_name);
};
return _error($ldap, $mesg, LDAP_LOCAL_ERROR, "$@")
