[Issue 9317] New: LDAPS connection fails to multi-IP DNS using DIGEST-MD5 mechanism

19 Aug 2020


      https://bugs.openldap.org/show_bug.cgi?id=9317
Issue ID: 9317
           Summary: LDAPS connection fails to multi-IP DNS using
                    DIGEST-MD5 mechanism
           Product: OpenLDAP
           Version: 2.4.46
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: ---
         Component: libraries
          Assignee: bugs@openldap.org
          Reporter: paul.raines@gmail.com
  Target Milestone: ---
Our MS AD ldap servers are in DNS using alias ldap.example.org at multiple IP
addresses like so:
# host ldap.example.org
ldap.example.org has address 172.18.1.10
ldap.example.org has address 172.21.1.10
ldap.example.org has address 172.24.1.10
ldap.example.org has address 172.30.1.10
For CentOS 6 this was not a problem.  But with CentOS 7 (2.4.44) and CentOS 8
(2.4.46) the following fails
# ldapwhoami -d -1 -H ldaps://ldap.example.org -Y DIGEST-MD5 -U username -W
with the error:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: 80090303: LdapErr: DSID-0C090574, comment: The
digest-uri does not match any LDAP SPN's registered for this server., data 0,
v3839
ldap_free_connection 1 1
ldap_send_unbind
If one reverse DNS IP lookups one of the IPs and uses the unique name (e.g.
ldap01.example.org) instead it works fine
I think openldap should work in this case with DNS aliases.
-- 
You are receiving this mail because:
You are on the CC list for the issue.

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

[Issue 9317] New: LDAPS connection fails to multi-IP DNS using DIGEST-MD5 mechanism