IPv6 handling in SASL LDAP binding

Andrew Cobaugh phalenor at gmail.com
Fri Aug 7 09:00:19 EDT 2009


On Fri, Aug 7, 2009 at 4:28 AM, Xu, Qiang
(FXSGSC)<Qiang.Xu at fujixerox.com> wrote:
> Since it seems MozLDAP didn't pass any info related to Kerberos authentication server to Cyrus-SASL, can I understand that Cyrus-SASL obtain the Kerberos authentication server's whereabout from the ticket? But there is only an LDAP server's service principle in the ticket (ldap/crius.xcipv6.com at XCIPV6.COM). It doesn't reveal the authentication server's address or hostname, does it?

MozLDAP, so are you using thunderbird or something then? I think there
is a bug in MozLDAP where it's unable to perform any queries over IPv6
when the given hostname has both AAAA and A records. A colleague of
mine just came across this the other day.

Can you try eliminating SASL from the equation altogether and see if
whatever you're using can query over IPv6 while doing an anonymous
bind?

When you say things like "configured the Kerberos server with
hostname" what do you mean? Changing kdc lines in /etc/krb5.conf ? MIT
kerberos and their GSSAPI library definitely support IPv6. Tools like
ldapsearch work fine while doing a SASL/GSSAPI bind using a hostname
with AAAA records as well as specifying the v6 address in brackets, so
I think you can eliminate all of these as problems. The only
difference is if you're using one of mozilla's products to do LDAP,
they have their own LDAP library, MozLDAP as you mentioned.

--andy




More information about the Kerberos mailing list