krb5 commit: Add OpenLDAP advice to princ_dns.rst
Greg Hudson
ghudson at mit.edu
Fri Sep 10 11:20:23 EDT 2021
https://github.com/krb5/krb5/commit/ecaf868e1abb443cd72a00956aeb71e18b71c4ba
commit ecaf868e1abb443cd72a00956aeb71e18b71c4ba
Author: Sam Morris <sam at robots.org.uk>
Date: Wed Sep 8 18:24:28 2021 +0100
Add OpenLDAP advice to princ_dns.rst
ticket: 9027 (new)
doc/admin/princ_dns.rst | 9 +++++++++
1 files changed, 9 insertions(+), 0 deletions(-)
diff --git a/doc/admin/princ_dns.rst b/doc/admin/princ_dns.rst
index b2db007..e558cd4 100644
--- a/doc/admin/princ_dns.rst
+++ b/doc/admin/princ_dns.rst
@@ -115,3 +115,12 @@ any key in its keytab when accepting a connection, rather than looking
for the keytab entry that matches the host's own idea of its name
(typically the name that ``gethostname()`` returns). This requires
krb5-1.10 or later.
+
+OpenLDAP (ldapsearch, etc.)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+OpenLDAP's SASL implementation performs reverse DNS lookup in order to
+canonicalize service principal names, even if **rdns** is set to
+``false`` in the Kerberos configuration. To disable this behavior,
+add ``SASL_NOCANON on`` to ``ldap.conf``, or set the
+``LDAPSASL_NOCANON`` environment variable.
More information about the cvs-krb5
mailing list