Quanah Gibson-Mount wrote:
Does your patch work with if heimdal is being used as well? Because
I've found MIT not to be worthwhile to compile the OpenLDAP server
against for stability and throughput reasons.
A patch against OpenLDAP 2.3 is
attached below. It works fine with MIT
but i have not tried it with Heimdal (i think it should work though). If
I set "rdns = no" in [libdefaults] in the Kerberos configuration file, I
get the following advantages:
- I can call "ldapsearch -h <host>" on a host that does not have a
reverse DNS mapping.
- I can call "ldapsearch -h <host>" on a host for which no domain to
realm mapping exists locally, making use of server-side referrals (in my
case with a Windows 2003 KDC).
The patch unconditionally disables hostname canonicalisation for the
sasl client. In my view this should be OK, as the Kerberos library will
do hostname canonicalisation anyway and therefore this step is redundant
in OpenLDAP. But by not doing this in OpenLDAP, we add the possibility
of the Kerberos library deciding to take another (or no)
canonicalisation option. In my view, hostname canonicalisation is a
Kerberos specific issue and therefore should be performed only in the
I assume I need to create an issue tracker if I would want to submit
this for inclusion? Also I will try to create versions of the patch for
2.4 and the trunk.