Re: reverse lookup

[Marcus Moeller <marcus.moeller [at] gmx.ch>]

Hi again,

> > > On Tue, 2012-08-14 at 17:09 +0200, Marcus Moeller wrote:
> > > >  From https://bugzilla.redhat.com/show_bug.cgi?id=719060 there are two
> > > > options for disabling this check: by enabling SASL_NOCANON in ldap.conf
> > > > or by setting LDAPSASL_NOCANON environmental variable.
> > > >
> > > > But I guess in this case it has to be passed through to the libs by
> > > > nslcd.
> > >
> > > Thanks for pointing this out. In the development version I've added an
> > > sasl_canonicalize option that defaults to false. I'll see which release
> > > this can be put into but the patch is available here:
> > >
> > > http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1733&view=revision
>
> I have applied the above changes to 0.8.10 but sadly it does not seem to
> work. Neither it results in an updated manpage, nor does it seem to
> change the resolver behavior. Maybe I am missing something?

Ah, I got it. It only works with srv record lookup.

But a 'common' setup does not work with sasl_canonicalize, so I would 
NOT set 'sasl_canonicalize no' as default.

E.g. if one got an active directory domain like ad.mydomain.example 
which resolves to all ad domain controllers, in the past it was possible 
to simply set 'uri ldap://ad.mydomain.examle/' in nslcd.conf.

Without the modifications a query looked like this:

ldap_connect_to_host: TCP ad.mydomain.example:389
ldap_connect_to_host: Trying 192.168.0.10:389
...
ldap_int_sasl_open: host=dc1.ad.mydomain.example

With 'sasl_canonicalize no' set, a query looks like that:

ldap_connect_to_host: TCP ad.mydomain.example:389
ldap_connect_to_host: Trying 192.168.0.10:389
...
ldap_int_sasl_open: host=ad.mydomain.example

Which does not work, at least with GSSAPI.

Greets
Marcus


--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/