#167 opendkim does not consider /etc/hosts when talking to ldap

[Quanah Gibson-Mount]

Found an interesting issue with a customer this week, when opendkim wouldn't start, even though ldap was running on the same server.

the keytable & signing table both pointed to:

ldap://mx1.domain.com/...

The ldap server for mx1.domain.com was bound to 192.168.1.52 (example IP)
But the IP for mx1.domain.com in DNS was 60.111.222.333 (example IP)

OpenDKIM would fail to start because it could not connect to 60.111.222.333. However, /etc/hosts had both IPs for the host in it:

192.168.1.52 mx1.domain.com
60.111.222.333 mx1.domain.com

So it seems that when doing resolution, /etc/hosts is bypassed with OpenDKIM for the LDAP server.

[Murray S. Kucherawy]

opendkim just uses the resolver libraries. They're the things that are supposed to consult /etc/hosts if configured to do so (e.g., via nsswitch.conf). The calling application shouldn't know about those things.

Are you using bind or unbound?

[Quanah Gibson-Mount]

I'm using whatever it defaults to..

In any case Postfix (which also links to the LDAP libraries) running on this server did not have this problem. Nor did Amavis. Only OpenDKIM failed to honor the entry in /etc/hosts.

[Murray S. Kucherawy]

You'll have to look at the code in dkimf_db_open_ldap() in opendkim/opendkim-db.c to see if we've done something wrong. The ldap data sets are passed to that function, and the hostname part of the URI isn't translated or resolved by our code. The call sequence in there we got from the OpenLDAP folks. I don't know where I would begin to debug this.

We do bypass what nsswitch.conf says in terms of hostname resolution by always going directly to nameservers, but only when querying for TXT records.

[Murray S. Kucherawy]

Ping, Quanah.

[Quanah Gibson-Mount]

Hey Murray,

One client tried disabling the ldap cache, but still sees the same behavior. Still have no idea what's causing it. :/

--Quanah