[31055] in CVS-changelog-for-Kerberos-V5
krb5 commit: Add OpenLDAP advice to princ_dns.rst
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri Sep 10 11:20:31 2021
Date: Fri, 10 Sep 2021 11:20:23 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <202109101520.18AFKNEi008787@drugstore.mit.edu>
To: <cvs-krb5@mit.edu>
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/ecaf868e1abb443cd72a00956aeb71e18b71c4ba
commit ecaf868e1abb443cd72a00956aeb71e18b71c4ba
Author: Sam Morris <sam@robots.org.uk>
Date: Wed Sep 8 18:24:28 2021 +0100
Add OpenLDAP advice to princ_dns.rst
ticket: 9027 (new)
doc/admin/princ_dns.rst | 9 +++++++++
1 files changed, 9 insertions(+), 0 deletions(-)
diff --git a/doc/admin/princ_dns.rst b/doc/admin/princ_dns.rst
index b2db007..e558cd4 100644
--- a/doc/admin/princ_dns.rst
+++ b/doc/admin/princ_dns.rst
@@ -115,3 +115,12 @@ any key in its keytab when accepting a connection, rather than looking
for the keytab entry that matches the host's own idea of its name
(typically the name that ``gethostname()`` returns). This requires
krb5-1.10 or later.
+
+OpenLDAP (ldapsearch, etc.)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+OpenLDAP's SASL implementation performs reverse DNS lookup in order to
+canonicalize service principal names, even if **rdns** is set to
+``false`` in the Kerberos configuration. To disable this behavior,
+add ``SASL_NOCANON on`` to ``ldap.conf``, or set the
+``LDAPSASL_NOCANON`` environment variable.
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
