Add OpenLDAP advice to princ_dns.rst

author Sam Morris <sam@robots.org.uk>

Wed, 8 Sep 2021 17:24:28 +0000 (18:24 +0100)

committer Greg Hudson <ghudson@mit.edu>

Fri, 10 Sep 2021 15:11:02 +0000 (11:11 -0400)
author Sam Morris <sam@robots.org.uk>
Wed, 8 Sep 2021 17:24:28 +0000 (18:24 +0100)
committer Greg Hudson <ghudson@mit.edu>
Fri, 10 Sep 2021 15:11:02 +0000 (11:11 -0400)
diff --git a/doc/admin/princ_dns.rst b/doc/admin/princ_dns.rst

index b2db007ab6a4a4bcc0436302875b2b9207a4c122..e558cd4881eb7610df45f52e73a1ff78590670ea 100644 (file)
--- a/doc/admin/princ_dns.rst
+++ b/doc/admin/princ_dns.rst
@@ -115,3 +115,12 @@ any key in its keytab when accepting a connection, rather than looking
  for the keytab entry that matches the host's own idea of its name
  (typically the name that ``gethostname()`` returns).  This requires
  krb5-1.10 or later.
+
+OpenLDAP (ldapsearch, etc.)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+OpenLDAP's SASL implementation performs reverse DNS lookup in order to
+canonicalize service principal names, even if **rdns** is set to
+``false`` in the Kerberos configuration.  To disable this behavior,
+add ``SASL_NOCANON on`` to ``ldap.conf``, or set the
+``LDAPSASL_NOCANON`` environment variable.
author	Sam Morris <sam@robots.org.uk>
	Wed, 8 Sep 2021 17:24:28 +0000 (18:24 +0100)
committer	Greg Hudson <ghudson@mit.edu>
	Fri, 10 Sep 2021 15:11:02 +0000 (11:11 -0400)