lists.arthurdejong.org
RSS feed

Re: reverse lookup

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: reverse lookup



Hi again,

On Tue, 2012-08-14 at 17:09 +0200, Marcus Moeller wrote:
 From https://bugzilla.redhat.com/show_bug.cgi?id=719060 there are two
options for disabling this check: by enabling SASL_NOCANON in ldap.conf
or by setting LDAPSASL_NOCANON environmental variable.

But I guess in this case it has to be passed through to the libs by
nslcd.

Thanks for pointing this out. In the development version I've added an
sasl_canonicalize option that defaults to false. I'll see which release
this can be put into but the patch is available here:

http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1733&view=revision

I have applied the above changes to 0.8.10 but sadly it does not seem to
work. Neither it results in an updated manpage, nor does it seem to
change the resolver behavior. Maybe I am missing something?

Ah, I got it. It only works with srv record lookup.

But a 'common' setup does not work with sasl_canonicalize, so I would NOT set 'sasl_canonicalize no' as default.

E.g. if one got an active directory domain like ad.mydomain.example which resolves to all ad domain controllers, in the past it was possible to simply set 'uri ldap://ad.mydomain.examle/' in nslcd.conf.

Without the modifications a query looked like this:

ldap_connect_to_host: TCP ad.mydomain.example:389
ldap_connect_to_host: Trying 192.168.0.10:389
...
ldap_int_sasl_open: host=dc1.ad.mydomain.example

With 'sasl_canonicalize no' set, a query looks like that:

ldap_connect_to_host: TCP ad.mydomain.example:389
ldap_connect_to_host: Trying 192.168.0.10:389
...
ldap_int_sasl_open: host=ad.mydomain.example

Which does not work, at least with GSSAPI.

Greets
Marcus


--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/