[31371] in Kerberos
RE: IPv6 handling in SASL LDAP binding
daemon@ATHENA.MIT.EDU (Xu, Qiang (FXSGSC))
Thu Aug 13 06:42:05 2009
X-Barracuda-Envelope-From: qiang.xu@fujixerox.com
From: "Xu, Qiang (FXSGSC)" <Qiang.Xu@fujixerox.com>
To: Andrew Cobaugh <phalenor@gmail.com>,
Alexey Melnikov
<alexey.melnikov@isode.com>
Date: Thu, 13 Aug 2009 18:41:03 +0800
Message-ID: <D8C9BC7FFCF8154FB7141EB8DB609C172E71CB6FCC@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
In-Reply-To: <1b8d56200908070600q71031ea1jebc679b98ef6729e@mail.gmail.com>
Content-Language: en-US
MIME-Version: 1.0
X-MAIL-FROM: <qiang.xu@fujixerox.com>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
> -----Original Message-----
> From: Andrew Cobaugh [mailto:phalenor@gmail.com]
> Sent: Friday, August 07, 2009 9:00 PM
> To: Xu, Qiang (FXSGSC)
> Cc: kerberos@mit.edu
> Subject: Re: IPv6 handling in SASL LDAP binding
>
> When you say things like "configured the Kerberos server with
> hostname" what do you mean? Changing kdc lines in
> /etc/krb5.conf ? MIT kerberos and their GSSAPI library
> definitely support IPv6. Tools like ldapsearch work fine
> while doing a SASL/GSSAPI bind using a hostname with AAAA
> records as well as specifying the v6 address in brackets, so
> I think you can eliminate all of these as problems. The only
> difference is if you're using one of mozilla's products to do
> LDAP, they have their own LDAP library, MozLDAP as you mentioned.
Just realized that MIT Kerberos distribution doesn't support the numerical IPv6 address in /etc/krb5.conf:
=========================================================
[libdefaults]
default_realm = XCIPV6.COM
[realms]
XCIPV6.COM = {
kdc = [3ffe:2000:0:1::100]:88
}
=========================================================
This is because the code in krb5-1.7/src/lib/krb5/os/locate_kdc.c doesn't support this kdc form.
Kerberos authentication from our printer is successful with this kind of configuration, is due to customization made by Xerox developers. Since LDAP SASL binding uses the dynamic libkrb5.so without this customization, while the authentication uses the static libkrb5.a (linked to the executable kinit), it is no wonder the results are different.
My testing with OpenLDAP is successful, because kdc is set into hostname:
=========================================================
[realms]
XCIPV6.COM = {
kdc = crius:88
default_domain = xcipv6.com
}
=========================================================
I remember that in my testing, I manually filled numerical IPv6 address "[3ffe:2000:0:1::100]:88" into the kdc entry, but ldapsearch would report an error.
Everything is clear now. I will turn to OS team to seek help.
P.S. Can I ask why the numerical IPv6 address is not supported in MIT distribution?
Thanks,
Xu Qiang
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
