[Freeipa-users] Replication Issue
Simo Sorce
simo at redhat.com
Fri Apr 5 17:49:13 UTC 2013
On Fri, 2013-04-05 at 09:51 -0600, Rich Megginson wrote:
> On 04/05/2013 08:41 AM, Simo Sorce wrote:
> > On Fri, 2013-04-05 at 08:30 -0600, Brent Clark wrote:
> >> You were correct, my reverse DNS entries for the master and replica
> >> were missing. Odd, since they both existed at one point.
> >
> > Rob,
> > I think we should open a ticket against 389ds, we should never depend on
> > PTR records.
> >
> > In this case I believe the ldap libraries are at fault since they now
> > force SASL canonicalization on which is know to be broken for gssapi as
> > it causes reverse resolution.
> >
> > Rich do you set LDAP_OPT_X_SASL_NOCANON in 389ds code at all ?
> Yes.
> ldap/servers/slapd/ldaputil.c: ldap_set_option(ld,
> LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
>
> Should this be off by default? Should this be configurable?
On by default (meaning no canonicalization is performed) is the coreect
behavior.
I do not think we need it to be configurable for now.
But it puzles me then as to why Brent sees a failure w/o ptr records.
Does DS do reverse resolution of replication peers somewhere ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list