This sounds a bit like "violent agreement" to me. On Mar 7, 2011, at 9:35 AM, Guillaume Rousse wrote: > Le 07/03/2011 17:53, Bill MacAllister a écrit : >> >> >> --On Monday, March 07, 2011 10:48:21 AM +0100 Guillaume Rousse >> <guillomovitch@xxxxxxxxx> wrote: >> >>> Le 06/03/2011 22:05, Russ Allbery a écrit : >>>> OpenLDAP is the hardest problem, since it uses Cyrus SASL and Cyrus SASL >>>> doesn't support checking every key in the keytab by default. >>> OpenLDAP has a 'sasl-host' directive permetting to enforce the hostname >>> to use, which is enough to get rid of the issue, by using the hostname >>> attached to the service virtual interface. >> >> Actually that doesn't always help. Frequently in HA environments it >> is useful to be able to connect directly to one of the HA hosts as >> well as connecting to the HA hostname. Using sasl-host you can only >> specify one hostname which prevents binding to the directory on a >> specific host without playing games with hosts files and such. > You just prevent SASL authentication to work when contacting the server > node directly AFAIK. > > That's the same issue for any server-authentication mechanism, such as > TLS: without the ability to have some kind of aliasing in your > certificate, there is only one way of naming the trusted resource. > -- > BOFH excuse #365: > > parallel processors running perpendicular today ------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz@xxxxxxxxxxxx, or hbhotz@xxxxxxx
