[Freeipa-users] Replication Issue
Alexander Bokovoy
abokovoy at redhat.com
Fri Apr 5 19:16:09 UTC 2013
On Fri, 05 Apr 2013, Dmitri Pal wrote:
>On 04/05/2013 01:50 PM, Rich Megginson wrote:
>> On 04/05/2013 11:49 AM, Simo Sorce wrote:
>>> On Fri, 2013-04-05 at 09:51 -0600, Rich Megginson wrote:
>>>> On 04/05/2013 08:41 AM, Simo Sorce wrote:
>>>>> On Fri, 2013-04-05 at 08:30 -0600, Brent Clark wrote:
>>>>>> You were correct, my reverse DNS entries for the master and replica
>>>>>> were missing. Odd, since they both existed at one point.
>>>>> Rob,
>>>>> I think we should open a ticket against 389ds, we should never
>>>>> depend on
>>>>> PTR records.
>>>>>
>>>>> In this case I believe the ldap libraries are at fault since they now
>>>>> force SASL canonicalization on which is know to be broken for
>>>>> gssapi as
>>>>> it causes reverse resolution.
>>>>>
>>>>> Rich do you set LDAP_OPT_X_SASL_NOCANON in 389ds code at all ?
>>>> Yes.
>>>> ldap/servers/slapd/ldaputil.c: ldap_set_option(ld,
>>>> LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
>>>>
>>>> Should this be off by default? Should this be configurable?
>>> On by default (meaning no canonicalization is performed) is the coreect
>>> behavior.
>>>
>>> I do not think we need it to be configurable for now.
>>>
>>> But it puzles me then as to why Brent sees a failure w/o ptr records.
>>>
>>> Does DS do reverse resolution of replication peers somewhere ?
>> Not explicitly, no, but probably somewhere inside openldap.
>
>Can it be that SASL layer does it?
By default libldap does canonicalization of hostnames. Disabling
canonicalization is a boolean option which has to be set and by default
libldap initializes all boolean options to false except referrals
handling.
If LDAP_OPT_X_SASL_NOCANON is not set explicitly, it is never set by
libldap itself.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list