Dominic Hargreaves <d...@earth.li> writes:
> And just to make explicit, there is a suggested improvement in the
> Debian BTS:
> # If we're talking to a round-robin, the canonical name of
> # the host we are talking to might not match the name we
> # requested
> my $connected_ip = $ldap->{net_ldap_socket}->peeraddr;
> my $connected_domain = $ldap->{net_ldap_socket}->sockdomain;
> my $connected_name = gethostbyaddr($connected_ip, $connected_domain);
> $connected_name ||= $ldap->{net_ldap_host};
Graham, the current code cannot possibly work with Kerberos GSS-API SASL
authentications. Here's what it currently says:
# If we're talking to a round-robin, the canonical name of
# the host we are talking to might not match the name we
# requested
my $connected_name = $ldap->{net_ldap_socket}->peerhost;
$connected_name ||= $ldap->{net_ldap_host};
And from IO::Socket::INET:
peerhost ()
Return the address part of the sockaddr structure for the socket on
the peer host in a text form xx.xx.xx.xx
You cannot do a Kerberos SASL authentication to an IP address. It will
never work; Kerberos doesn't support it. Kerberos requires a hostname.
So setting the connected name to an IP address will always, always fail if
you're using GSS-API authentication.
Right now, everyone who wants to use Net::LDAP with Kerberos GSS-API
authentication needs to patch Net::LDAP; otherwise, the module is
completely unusable if that's the required authentication mechanism.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
