[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: custom hostname for openldap/sasl is not working



--On Thursday, September 02, 2010 08:53:22 AM +0300 Zaar Hai <haizaar@haizaar.com> wrote:


On Thu, Sep 2, 2010 at 1:22 AM, Bill MacAllister <whm@stanford.edu> wrote:


Simon Wilkinson discussed the problem on the Heimdal list.

 The problem is that both the client and the server must have a
 matching idea of the service principal to use in establishing the
 GSSAPI connection.

 The client will use ldap/ldap.uvm.edu, as that's the only name it
 knows the server by. However, the server will end up using
 ldap/hostname() and therefore the two won't match, and you'll get
 these errors.

So what sasl-host directive is good for? It does something in fact -
if I enable it and set it to ldap.example.com, GSSAPI auth stop
working with the same error.

Also, I've tried to set server hostname to "ldap", and hostname --fqdn
returned ldap.example.com, but this did not help either.


If I remember correctly sasl-host did allow me to change the name that
was used by the SASL layer.  What it didn't allow me to do was to
specify two names.  I would have liked support for something like:

 sasl-host host1.domain,host2.domain

But, I know that doesn't work because I tried several variations on
that theme when I encountered the problem.  In any case, I think the
change would be better made in SASL and not in OpenLDAP.  Simon said
he thought in later versions of SASL this change might have been made,
but I haven't had a chance to chase that down yet.

Bill

--

Bill MacAllister
Infrastructure Delivery Group, Stanford University