From aad2aecb34b723cd322f46ea4aa7c349e9f5f465 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 26 Aug 2011 10:42:40 -0400
Subject: Disable reverse lookups in ipa-join and ipa-getkeytab

This prevents broken DNS from causing enrollment problems.

https://fedorahosted.org/freeipa/ticket/1693
---
 ipa-client/ipa-getkeytab.c | 7 +++++++
 ipa-client/ipa-join.c      | 7 +++++++
 2 files changed, 14 insertions(+)

diff --git a/ipa-client/ipa-getkeytab.c b/ipa-client/ipa-getkeytab.c
index 01b8d7bc5..b884e8d9f 100644
--- a/ipa-client/ipa-getkeytab.c
+++ b/ipa-client/ipa-getkeytab.c
@@ -577,6 +577,13 @@ static int ldap_set_keytab(krb5_context krbctx,
 		goto error_out;
 	}
 
+        /* Don't do DNS canonicalization */
+	ret = ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
+	if (ret != LDAP_SUCCESS) {
+	    fprintf(stderr, _("Unable to set LDAP_OPT_X_SASL_NOCANON\n"));
+	    goto error_out;
+	}
+
 	version = LDAP_VERSION3;
 	ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
         if (ret != LDAP_SUCCESS) {
diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c
index f6ca69367..aac80976d 100644
--- a/ipa-client/ipa-join.c
+++ b/ipa-client/ipa-join.c
@@ -213,6 +213,13 @@ connect_ldap(const char *hostname, const char *binddn, const char *bindpw) {
         goto fail;
     }
 
+    /* Don't do DNS canonicalization */
+    ret = ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
+    if (ret != LDAP_SUCCESS) {
+        fprintf(stderr, _("Unable to set LDAP_OPT_X_SASL_NOCANON\n"));
+        goto fail;
+    }
+
     ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
     if (ret != LDAP_SUCCESS) {
         fprintf(stderr, _("Unable to set LDAP version\n"));
-- 
cgit