From ecaf868e1abb443cd72a00956aeb71e18b71c4ba Mon Sep 17 00:00:00 2001
From: Sam Morris <sam@robots.org.uk>
Date: Wed, 8 Sep 2021 18:24:28 +0100
Subject: [PATCH] Add OpenLDAP advice to princ_dns.rst

ticket: 9027 (new)
---
 doc/admin/princ_dns.rst | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/doc/admin/princ_dns.rst b/doc/admin/princ_dns.rst
index b2db007ab6..e558cd4881 100644
--- a/doc/admin/princ_dns.rst
+++ b/doc/admin/princ_dns.rst
@@ -115,3 +115,12 @@ any key in its keytab when accepting a connection, rather than looking
 for the keytab entry that matches the host's own idea of its name
 (typically the name that ``gethostname()`` returns).  This requires
 krb5-1.10 or later.
+
+OpenLDAP (ldapsearch, etc.)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+OpenLDAP's SASL implementation performs reverse DNS lookup in order to
+canonicalize service principal names, even if **rdns** is set to
+``false`` in the Kerberos configuration.  To disable this behavior,
+add ``SASL_NOCANON on`` to ``ldap.conf``, or set the
+``LDAPSASL_NOCANON`` environment variable.
-- 
2.47.2