Bug 908913 - SASL NOCANON option default is backwards
Summary: SASL NOCANON option default is backwards
Keywords:
Status: CLOSED DUPLICATE of bug 949864
Alias: None
Product: Fedora
Classification: Fedora
Component: openldap
Version: 18
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jan Synacek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-02-07 20:46 UTC by Simo Sorce
Modified: 2013-04-19 07:11 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2013-04-19 07:11:43 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Simo Sorce 2013-02-07 20:46:41 UTC 
It appears that relatively recently the default behavior of openldap command line tools and libraries has changed when using SASL/GSSAPI

Previously no explicit canonicalization was performed and all worked properly.
Now it seems that the SASL NOCANON option is explicitly turned off by default.

ldapsearch -Y GSSAPI is not sufficient anymore in my setup, now I need to pass in -N explicitly too.

This causes failures when a host has not PTR record (or the PTR record does not point back at the canonical name). Missing/wrong PTR records are extremely common, so this change is causing disruption in otehrwise perferctly working environments.

Canonicalization should not be perofrmed by default and only performed on request.

Can we change back this behavior ?
Comment 1 Jan Synacek 2013-03-01 08:42:22 UTC 
Hi Simo,

Yes, the behavior has changed. Here is the relevant upstream ticket:

http://www.openldap.org/its/index.cgi?findid=7271

If you have a reproducer that would show that the patch is broken, we may be able to persuade upstream to change it back.
Comment 2 Jan Synacek 2013-04-19 07:11:43 UTC 
Will be fixed in #949864.

*** This bug has been marked as a duplicate of bug 949864 ***
Note You need to log in before you can comment on or make changes to this bug.