> The patch unconditionally disables hostname canonicalisation for > the sasl client. I think this will break GSSAPI connections to LDAP servers that are behind DNS round robin style load balancers. Assume that you have 'ldap' that is a CNAME for ldap-1 and ldap2. The LDAP library initiates a connection to 'ldap', and DNS points it to 'ldap-1'. Providing you ask SASL to set up a connection to 'ldap-1', you're fine (this is what the code does at the moment). However, if you ask the SASL library for a connection to 'ldap' (this is what your change does, as far as I can tell), and the library does a canonicalisation step (as most Kerberos implementations currently do), it will get 'ldap-2' back from the DNS. So, you end up trying to negotiate a SASL connection with 'ldap-2', when you're actually connected to 'ldap-1'. This tends not to work.

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iQEVAwUBRyDy7prPkVOV4lDgAQJD9gf+KzsoMxBtCf0K0f80q6kWM+DAB64EpwCV g2Lj9JdKK0BcxcyXpnz+vBrKPwuP8RP/1dkvNiBJrgcUVc9Yo25H+UNBHkff0wUt QPZZvf9p/nxz0AQHAYrHdh94fM748y2LuMD/oVkpu+Oi8HeC5P5fo2VMpsoJ9pcg 9ee23yyuT3EyjpG3YGnApOOdAPgEqgUirvI+DibFYXo4hLrzwL5PKRmY3ggMZKa1 OrHz2qjZjvcktbs3cSU0v17tG+KLW1DtKaO80bSrbjAqb0l4rVPI+a6ixN5IEbG7 RdGKzx9jP4hgTP+Xt06e+eNFg19u0e72mrlzmH2A29C5RA2cHVsMRg== =bLmO -----END PGP SIGNATURE-----