[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ldapsearch broken for GSS-API (ITS#2882)
Full_Name: Luke Howard
Version: 2.2.3
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (203.13.32.69)
One thing that appears to be broken in 2.2.3: using the GSSAPI SASL mechanism,
"ldapsearch -h foo", where foo is a host name apart from "localhost".
Prior to the merge, the converse was the case: "localhost" did not work but
"foo" did. :-)
Enabling the conditional at line 749 of libraries/libldap/os-ip.c restores the
old behavior for non-loopback addresses (this is in ldap_host_connected_to()).
This appears to be the correct solution given what the function is supposed to
do.
An alternative fix would be to make the default hostname passed into
ldap_host_connected_to() as follows:
char *saslhost = ldap_host_connected_to( ld->ld_sb,
(ld->ld_defconn->lconn_server->lud_host != NULL) ?
"localhost" : ld->ld_defconn->lconn_server->lud_host );
rc = ldap_int_sasl_open( ld, ld->ld_defconn, saslhost );
...
Either of these fixes should still allow specifying the loopback address to work
with Kerberos.