--On October 24, 2007 10:42:43 PM +0100 Simon Wilkinson <simon(a)sxw.org.uk&gt; wrote: > >> >> The patch unconditionally disables hostname canonicalisation for >> the sasl client. > > I think this will break GSSAPI connections to LDAP servers that are > behind DNS round robin style load balancers. > > Assume that you have 'ldap' that is a CNAME for ldap-1 and ldap2. The > LDAP library initiates a connection to 'ldap', and DNS points it to > 'ldap-1'. Providing you ask SASL to set up a connection to 'ldap-1', > you're fine (this is what the code does at the moment). However, > if you > ask the SASL library for a connection to 'ldap' (this is what your > change > does, as far as I can tell), and the library does a > canonicalisation step > (as most Kerberos implementations currently do), it will get 'ldap-2' > back from the DNS. So, you end up trying to negotiate a SASL > connection > with 'ldap-2', when you're actually connected to 'ldap-1'. This > tends not > to work.