[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldapsearch broken for GSS-API (ITS#2882)

Full_Name: Luke Howard
Version: 2.2.3
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

One thing that appears to be broken in 2.2.3: using the GSSAPI SASL mechanism,
"ldapsearch -h foo", where foo is a host name apart from "localhost".

Prior to the merge, the converse was the case: "localhost" did not  work but
"foo" did. :-)

Enabling the conditional at line 749 of libraries/libldap/os-ip.c  restores the
old behavior for non-loopback addresses (this is in ldap_host_connected_to()).
This appears to be the correct solution given what the function is supposed to

An alternative fix would be to make the default hostname passed into
ldap_host_connected_to() as follows:

        char *saslhost = ldap_host_connected_to( ld->ld_sb,
                (ld->ld_defconn->lconn_server->lud_host != NULL) ?
                "localhost" : ld->ld_defconn->lconn_server->lud_host );
        rc = ldap_int_sasl_open( ld, ld->ld_defconn, saslhost );

Either of these fixes should still allow specifying the loopback address to work
with Kerberos.