From: Sam Morris Date: Wed, 8 Sep 2021 17:24:28 +0000 (+0100) Subject: Add OpenLDAP advice to princ_dns.rst X-Git-Tag: krb5-1.20-beta1~55 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1216%2Fhead;p=thirdparty%2Fkrb5.git Add OpenLDAP advice to princ_dns.rst ticket: 9027 (new) --- diff --git a/doc/admin/princ_dns.rst b/doc/admin/princ_dns.rst index b2db007ab6..e558cd4881 100644 --- a/doc/admin/princ_dns.rst +++ b/doc/admin/princ_dns.rst @@ -115,3 +115,12 @@ any key in its keytab when accepting a connection, rather than looking for the keytab entry that matches the host's own idea of its name (typically the name that ``gethostname()`` returns). This requires krb5-1.10 or later. + +OpenLDAP (ldapsearch, etc.) +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +OpenLDAP's SASL implementation performs reverse DNS lookup in order to +canonicalize service principal names, even if **rdns** is set to +``false`` in the Kerberos configuration. To disable this behavior, +add ``SASL_NOCANON on`` to ``ldap.conf``, or set the +``LDAPSASL_NOCANON`` environment variable.