--On Thursday, September 02, 2010 08:53:22 AM +0300 Zaar Hai haizaar@haizaar.com wrote:

On Thu, Sep 2, 2010 at 1:22 AM, Bill MacAllister whm@stanford.edu wrote:

...

Simon Wilkinson discussed the problem on the Heimdal list.

The problem is that both the client and the server must have a  matching idea of the service principal to use in establishing the  GSSAPI connection.

The client will use ldap/ldap.uvm.edu, as that's the only name it  knows the server by. However, the server will end up using  ldap/hostname() and therefore the two won't match, and you'll get  these errors.

So what sasl-host directive is good for? It does something in fact - if I enable it and set it to ldap.example.com, GSSAPI auth stop working with the same error.

Also, I've tried to set server hostname to "ldap", and hostname --fqdn returned ldap.example.com, but this did not help either.

If I remember correctly sasl-host did allow me to change the name that was used by the SASL layer. What it didn't allow me to do was to specify two names. I would have liked support for something like:

sasl-host host1.domain,host2.domain

But, I know that doesn't work because I tried several variations on that theme when I encountered the problem. In any case, I think the change would be better made in SASL and not in OpenLDAP. Simon said he thought in later versions of SASL this change might have been made, but I haven't had a chance to chase that down yet.

Bill