[Date Prev][Date Next] [Chronological] [Thread] [Top]

Antwort: RE: sasl-host ignored in GSSAPI authentication [Virus checked]

AFAIK, sasl-host is used to indentify the host on which saslauthd runs (Is it used for anything else?), and has nothing to do with kerberos servers, nor with the host name of the ldap server. (I could be wrong, so please feel free to correct me)

As far as kerberos goes, the name that DNS server returns as FQHN when performing reverse name mapping is the one that will and has to be used. DNS aliases, entries in /etc/host, and such play no role. In case you aren't sure what to use, "dig" is your friend:

[havlikd@susan bin]$ /sbin/ifconfig eth0|grep "inet addr"
          inet addr:  Bcast:  Mask:
[havlikd@susan bin]$ dig -x|grep 143
; <<>> DiG 9.2.3 <<>> -x
;    IN      PTR 900 IN      PTR     susan.t-mobile.at.

T-Mobile Austria GmbH,
Information Technologies / Services
Knowledge Management & Process Automation

Dr. Denis Havlik,                                   eMail: denis.havlik@t-mobile.at
Rennweg 97-99, BT2E0304031        Phone: +43-1-79-585/6237          
A-1030 Vienna                                        Fax:      +43-1-79-585/6584

Jeffrey Layton <jtlayton@poochiereds.net>
Gesendet von: owner-openldap-software@OpenLDAP.org

08.04.2004 21:00

        An:        Quanah Gibson-Mount <quanah@stanford.edu>
        Kopie:        openldap-software@OpenLDAP.org
        Thema:        RE: sasl-host ignored in GSSAPI authentication  [Virus checked]

On Thu, 2004-04-08 at 14:55, Quanah Gibson-Mount wrote:
> That isn't exactly true, either... My ldap.conf points everything to
> "ldap.stanford.edu" which is just an alias for a particular host at a given
> point in time.  ldapsearch still does not ask for
> "ldap/ldap.stanford.edu@stanford.edu", it asks for
> "ldap/ldap7.stanford.edu@stanford.edu" or whatever host is currently
> answering for ldap.stanford.edu.  Also, I'd think having the K5 keytab
> principle be mismatched from the host.FQDN@REALM is going to cause problems
> as well, in reading the K5 RFC...

So is there no way to force the value of the hostname portion of the
kerberos principal?
-- Jeff