libnfsidmap - get_conanical_hostname() call when using ldap
Kevin Coffman
kwc at citi.umich.edu
Tue Jul 11 12:08:57 EDT 2006
On 7/11/06, Wachdorf, Daniel R <drwachd at sandia.gov> wrote:
>
> The libnfsidmap uses a function get_canonical_hostname to translate the
> hostname provided in the configuration file into a DNS canonical hostname.
>
> The comment in the code is:
>
> /*
> * TLS connections require that the hostname we specify matches
> * the hostname in the certificate that the server uses.
> * Get a canonical name for the host specified in the config file.
> */
>
> Unfortunately, this code does not allow you to use SSL ldap hosts with a
> cert name different then the canonical name. This is useful when using
> multiple LDAP servers in a DNS round-robin with the same SSL certs and
> separate canonical DNS names. Shouldn't the code just use the hostname
> provided by the user in the config file. This would require the name to be
> fully qualified.
Hi Dan,
I see your point. My /etc/openldap/ldap.conf has the following (in
case LDAP is being used for hostname resolution):
HOST 141.211.133.124
BASE dc=citi,dc=umich,dc=edu
so I had the opposite problem when trying to use the same values in idmapd.conf:
[UMICH_SCHEMA]
LDAP_server = 141.211.133.124
LDAP_base = dc=citi,dc=umich,dc=edu
LDAP_use_ssl = yes
LDAP_ca_cert = /usr/share/ssl/certs/citi-kca-root.crt
Without the canonicalization, this failed. I can be convinced either
way is correct.
K.C.
More information about the NFSv4
mailing list