IPv6 handling in SASL LDAP binding

Xu, Qiang (FXSGSC) Qiang.Xu at fujixerox.com
Thu Aug 13 04:21:53 EDT 2009 

> -----Original Message-----
> From: Andrew Cobaugh [mailto:phalenor at gmail.com] 
> Sent: Friday, August 07, 2009 9:00 PM
> To: Xu, Qiang (FXSGSC)
> Cc: kerberos at mit.edu
> Subject: Re: IPv6 handling in SASL LDAP binding
> 
> When you say things like "configured the Kerberos server with 
> hostname" what do you mean? Changing kdc lines in 
> /etc/krb5.conf ? MIT kerberos and their GSSAPI library 
> definitely support IPv6. Tools like ldapsearch work fine 
> while doing a SASL/GSSAPI bind using a hostname with AAAA 
> records as well as specifying the v6 address in brackets, so 
> I think you can eliminate all of these as problems. The only 
> difference is if you're using one of mozilla's products to do 
> LDAP, they have their own LDAP library, MozLDAP as you mentioned.

Yes, in my testing, OpenLDAP utility ldapsearch also works well with IPv6 address in /etc/krb5.conf when doing SASL binding. 

Although we are using Mozilla LDAP library, I don't think it is MozLDAP's fault, coz it doesn't pass anything related to Kerberos authentication server to Cyrus-SASL library. And Cyrus-SASL can be cleared of any wrongdoing as well, coz the same package is used in OpenLDAP testing.

In the machine where I did OpenLDAP testing, it was using original MIT distribtution, so MIT Kerberos package should be good. Our printer fails to locate Kerberos server in SASL binding, probably due to we are using a customized MIT distribution. I've got to check with OS team about this.

By the way, I downloaded MIT Kerberos v1.7 distribtution, in which I found the possible place to locate the Kerberos server is in "krb5-1.7/src/lib/krb5/locate_kdc.c". In that file, getaddrinfo() is used to resolve the kdc entry in /etc/krb5.conf. Maybe some other files are also related, I am not very sure. Anyway, this seems the only library that is tasked to resolve hostname to IP address and find the Kerberos server. Am I right on this?

But I don't know how to compile this module to support IPv6. In the makefile, I didn't find any related switch, like "--enable-ipv6". Is the support for IPv6 built-in? If not, is there a way to turn on the support?

Thanks,
Xu Qiang

More information about the Kerberos mailing list