Bug#573596: libnet-ldap-perl: Net::LDAP passes the wrong remote server identity to SASL
Russ Allbery
rra at debian.org
Thu Mar 18 19:01:48 UTC 2010
Dominic Hargreaves <dominic.hargreaves at oucs.ox.ac.uk> writes:
> On Sun, Mar 14, 2010 at 02:15:51PM -0700, Russ Allbery wrote:
>> Unfortunately, Cyrus SASL doesn't do this. It still builds a
>> server-side principal name and then accepts only that principal name.
>> We use a one-line patch to Cyrus SASL to disable that behavior. I
>> suspect that's what you ran into, since the Cyrus SASL default server
>> principal is based on the canonical local hostname.
> Thank you for the excellent explanation. I would be very interested in
> details of the Cyrus patch you have. Has it been offered upstream at
> all?
We took it from recent discussion on the Heimdal list, where people said
that they'd offered it upstream several times. We haven't tried again
ourselves. The patch is attached to this message; it's completely
trivial.
> So, just to clarify, the original Net::LDAP (without my bad patch) would
> have worked with your DNS round-robin based service?
Correct. We noticed this because it was working with etch and broke under
lenny.
--
Russ Allbery (rra at debian.org) <http://www.eyrie.org/~eagle/>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cyrus-patch
Type: text/x-diff
Size: 835 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20100318/f7d86dbf/attachment.diff>
More information about the pkg-perl-maintainers
mailing list