diff options
| author | Sam Morris <sam@robots.org.uk> | 2021-09-08 18:24:28 +0100 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2021-09-10 11:11:02 -0400 |
| commit | ecaf868e1abb443cd72a00956aeb71e18b71c4ba (patch) | |
| tree | 3d1ebc290385e43ea11e7ba192f00bd0e48fbe67 /doc/admin | |
| parent | a870d1b12d34f285f15900400ce44409e87642dc (diff) | |
| download | krb5-ecaf868e1abb443cd72a00956aeb71e18b71c4ba.zip krb5-ecaf868e1abb443cd72a00956aeb71e18b71c4ba.tar.gz krb5-ecaf868e1abb443cd72a00956aeb71e18b71c4ba.tar.bz2 | |
Add OpenLDAP advice to princ_dns.rst
ticket: 9027 (new)
Diffstat (limited to 'doc/admin')
| -rw-r--r-- | doc/admin/princ_dns.rst | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/doc/admin/princ_dns.rst b/doc/admin/princ_dns.rst index b2db007..e558cd4 100644 --- a/doc/admin/princ_dns.rst +++ b/doc/admin/princ_dns.rst @@ -115,3 +115,12 @@ any key in its keytab when accepting a connection, rather than looking for the keytab entry that matches the host's own idea of its name (typically the name that ``gethostname()`` returns). This requires krb5-1.10 or later. + +OpenLDAP (ldapsearch, etc.) +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +OpenLDAP's SASL implementation performs reverse DNS lookup in order to +canonicalize service principal names, even if **rdns** is set to +``false`` in the Kerberos configuration. To disable this behavior, +add ``SASL_NOCANON on`` to ``ldap.conf``, or set the +``LDAPSASL_NOCANON`` environment variable. |