Disable reverse lookups in ipa-join and ipa-getkeytab

This prevents broken DNS from causing enrollment problems.

https://fedorahosted.org/freeipa/ticket/1693

2 files changed, 14 insertions, 0 deletions

diff --git a/ipa-client/ipa-getkeytab.c b/ipa-client/ipa-getkeytab.c
index 166f46e63..5a521d041 100644
--- a/ipa-client/ipa-getkeytab.c
+++ b/ipa-client/ipa-getkeytab.c
@@ -577,6 +577,13 @@ static int ldap_set_keytab(krb5_context krbctx,
 		goto error_out;
 	}
 
+        /* Don't do DNS canonicalization */
+	ret = ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
+	if (ret != LDAP_SUCCESS) {
+	    fprintf(stderr, _("Unable to set LDAP_OPT_X_SASL_NOCANON\n"));
+	    goto error_out;
+	}
+
 	version = LDAP_VERSION3;
 	ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
         if (ret != LDAP_SUCCESS) {
diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c
index f6ca69367..aac80976d 100644
--- a/ipa-client/ipa-join.c
+++ b/ipa-client/ipa-join.c
@@ -213,6 +213,13 @@ connect_ldap(const char *hostname, const char *binddn, const char *bindpw) {
         goto fail;
     }
 
+    /* Don't do DNS canonicalization */
+    ret = ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
+    if (ret != LDAP_SUCCESS) {
+        fprintf(stderr, _("Unable to set LDAP_OPT_X_SASL_NOCANON\n"));
+        goto fail;
+    }
+
     ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
     if (ret != LDAP_SUCCESS) {
         fprintf(stderr, _("Unable to set LDAP version\n"));