[Freeipa-devel] [PATCH] 858 set SASL_NOCANON in client installer

Fri, 26 Aug 2011 08:07:29 -0700

If the IPA server's reverse DNS is broken, such as the PTR entry pointing to a different name then enrollment will fail and ipa-getkeytab won't work. 

I tested with:

[rcrit@dane freeipa]$ getent hosts slinky
192.168.166.39  slinky.example.com
[rcrit@dane freeipa]$ getent hosts 192.168.166.39
192.168.166.39  lego.example.com
This relies on fixes in openldap and krb5 in Fedora-15. It is testable in RHEL 6.2 though.
sssd has similar problems and they are making a change as well. Without the sssd fix enrollment will succeed but nss won't work. 

rob

>From 4fccaf6d5a373c18a53fe99326261e5e504e2020 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Fri, 26 Aug 2011 10:42:40 -0400
Subject: [PATCH] Disable reverse lookups in ipa-join and ipa-getkeytab

This prevents broken DNS from causing enrollment problems.

https://fedorahosted.org/freeipa/ticket/1693
---
 ipa-client/ipa-getkeytab.c |    7 +++++++
 ipa-client/ipa-join.c      |    7 +++++++
 2 files changed, 14 insertions(+), 0 deletions(-)

diff --git a/ipa-client/ipa-getkeytab.c b/ipa-client/ipa-getkeytab.c
index 166f46e..5a521d0 100644
--- a/ipa-client/ipa-getkeytab.c
+++ b/ipa-client/ipa-getkeytab.c
@@ -577,6 +577,13 @@ static int ldap_set_keytab(krb5_context krbctx,
 		goto error_out;
 	}

+        /* Don't do DNS canonicalization */
+	ret = ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
+	if (ret != LDAP_SUCCESS) {
+	    fprintf(stderr, _("Unable to set LDAP_OPT_X_SASL_NOCANON\n"));
+	    goto error_out;
+	}
+
 	version = LDAP_VERSION3;
 	ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
         if (ret != LDAP_SUCCESS) {
diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c
index f6ca693..aac8097 100644
--- a/ipa-client/ipa-join.c
+++ b/ipa-client/ipa-join.c
@@ -213,6 +213,13 @@ connect_ldap(const char *hostname, const char *binddn, const char *bindpw) {
         goto fail;
     }

+    /* Don't do DNS canonicalization */
+    ret = ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
+    if (ret != LDAP_SUCCESS) {
+        fprintf(stderr, _("Unable to set LDAP_OPT_X_SASL_NOCANON\n"));
+        goto fail;
+    }
+
     ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
     if (ret != LDAP_SUCCESS) {
         fprintf(stderr, _("Unable to set LDAP version\n"));
--
1.7.1


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to