IPv6 handling in SASL LDAP binding

Xu, Qiang (FXSGSC) Qiang.Xu at fujixerox.com
Mon Aug 10 22:11:44 EDT 2009 

> -----Original Message-----
> From: Andrew Cobaugh [mailto:phalenor at gmail.com] 
> Sent: Friday, August 07, 2009 9:00 PM
> To: Xu, Qiang (FXSGSC)
> Cc: kerberos at mit.edu
> Subject: Re: IPv6 handling in SASL LDAP binding

Sorry to reply late. Just come back from a long weekend.
 
> MozLDAP, so are you using thunderbird or something then? I 
> think there is a bug in MozLDAP where it's unable to perform 
> any queries over IPv6 when the given hostname has both AAAA 
> and A records. A colleague of mine just came across this the 
> other day.

I am referring to Mozilla LDAP libraries.

Yes, I have hit the problem as well. We walked around it by initializing a simple binding first, to retrieve the LDAP server's dnsHostname attribute, then we passed this value to prldap_init(), and SASL binding is successful. Anyway, in SASL binding, the server's FQDN is preferred.
 
> Can you try eliminating SASL from the equation altogether and 
> see if whatever you're using can query over IPv6 while doing 
> an anonymous bind?

It seems a defect of MozLDAP library. And strangely, IPv6 address can be handled in simple binding.
 
> When you say things like "configured the Kerberos server with 
> hostname" what do you mean? Changing kdc lines in 
> /etc/krb5.conf ? MIT kerberos and their GSSAPI library 
> definitely support IPv6. Tools like ldapsearch work fine 
> while doing a SASL/GSSAPI bind using a hostname with AAAA 
> records as well as specifying the v6 address in brackets, so 
> I think you can eliminate all of these as problems. The only 
> difference is if you're using one of mozilla's products to do 
> LDAP, they have their own LDAP library, MozLDAP as you mentioned.

Our printer has a WebUI, that enables us to configure Kerberos server through web page. By "configured the Kerberos server with hostname", I mean doing it from WebUI. Our printer has another DNS option, "Prefer IPv6 address over IPv4 address", to prioritize on IPv6 address in resolving hostnames. Thus, when the Kerberos server's hostname is configured by hostname, DNS will return an IPv6 address in response, and write the value into "/tc/krb5.conf".

When "/etc/krb5.conf" is configured with IPv4 address: 
================================================
[libdefaults]
	default_realm = XCIPV6.COM

[realms]
	XCIPV6.COM = {
		kdc = 13.198.97.42:88
	}
================================================
SASL binding is successful, with all network traffic on IPv4 protocol.

In contrast, when "/etc/krb5.conf" has kdc in IPv6 form: 
================================================
[libdefaults]
	default_realm = XCIPV6.COM

[realms]
	XCIPV6.COM = {
		kdc = [3ffe:2000:0:1::100]:88
	}
================================================
SASL binding will fail.

The failing network trace has the following DNS query: 
================================================
953	29.970599	13.198.98.117	13.198.97.42	DNS	Standard query AAAA [3ffe.xcipv6.com
954	29.970621	13.198.97.42	13.198.98.117	DNS	Standard query response, No such name
================================================
Note that the AAAA DNS query begins with "[3ffe", which is retrieved from "/etc/krb5.conf". The failure of this DNS query is expected.

The problem in SASL LDAP binding is it can't locate the Kerberos server (due to the above reason), hence TGS-REQ can't be initiated. To my knowledge, the locating of Kerberos server is done by Cyrus-SASL plugin (libgssapiv2.so) calling MIT Kerberos V5 plugin (libgssapi_krb5.so), so I guess the former has some problem in handling IPv6 address configured in "/etc/krb5.conf".

Still, the IPv6 address can be handled correctly by "kinit" and the Kerberos server can be found when authentication is done. I am not sure if kinit and libgssapi_krb5.so are compiled in the same MIT source package. If the answer is yes, then it is quite weird that kinit can handle IPv6 address, while libgssapi_krb5.so can't. If the answer is no, then it is more understandable. 

Another question, in order to enable libgssapi_krb5.so to handle IPv6 address, should its source code be configured with --enable-ipv6 option (i.e. ./configure --enable-ipv6=yes)?

Thanks,
Xu Qiang

More information about the Kerberos mailing list