IPv6 handling in SASL LDAP binding

Xu, Qiang (FXSGSC) Qiang.Xu at fujixerox.com
Thu Aug 13 04:37:09 EDT 2009 

> -----Original Message-----
> From: Andrew Cobaugh [mailto:phalenor at gmail.com] 
> Sent: Friday, August 07, 2009 9:00 PM
> To: Xu, Qiang (FXSGSC)
> Cc: kerberos at mit.edu
> Subject: Re: IPv6 handling in SASL LDAP binding
> 
> When you say things like "configured the Kerberos server with 
> hostname" what do you mean? Changing kdc lines in 
> /etc/krb5.conf ? MIT kerberos and their GSSAPI library 
> definitely support IPv6. Tools like ldapsearch work fine 
> while doing a SASL/GSSAPI bind using a hostname with AAAA 
> records as well as specifying the v6 address in brackets, so 
> I think you can eliminate all of these as problems. The only 
> difference is if you're using one of mozilla's products to do 
> LDAP, they have their own LDAP library, MozLDAP as you mentioned.

Digging further in "krb5-1.7/src/lib/krb5/locate_kdc.c", I found to enable IPv6 support, "KRB5_USE_INET6" must be defined: 
========================================================
static int
module_callback (void *cbdata, int socktype, struct sockaddr *sa)
{
    struct module_callback_data *d = cbdata;
    struct {
	struct addrinfo ai;
	union {
	    struct sockaddr_in sin;
#ifdef KRB5_USE_INET6
	    struct sockaddr_in6 sin6;
#endif
	} u;
    } *x;

    if (socktype != SOCK_STREAM && socktype != SOCK_DGRAM)
	return 0;
    if (sa->sa_family != AF_INET
#ifdef KRB5_USE_INET6
	&& sa->sa_family != AF_INET6
#endif
	)
	return 0;
    x = calloc (1, sizeof (*x));
    if (x == 0) {
	d->out_of_mem = 1;
	return 1;
    }
    x->ai.ai_addr = (struct sockaddr *) &x->u;
    x->ai.ai_socktype = socktype;
    x->ai.ai_family = sa->sa_family;
    if (sa->sa_family == AF_INET) {
	x->u.sin = *(struct sockaddr_in *)sa;
	x->ai.ai_addrlen = sizeof(struct sockaddr_in);
    }
#ifdef KRB5_USE_INET6
    if (sa->sa_family == AF_INET6) {
	x->u.sin6 = *(struct sockaddr_in6 *)sa;
	x->ai.ai_addrlen = sizeof(struct sockaddr_in6);
    }
#endif
    if (add_addrinfo_to_list (d->lp, &x->ai, free, x) != 0) {
	/* Assumes only error is ENOMEM.  */
	d->out_of_mem = 1;
	return 1;
    }
    return 0;
}
========================================================
So I must add "-DKRB5_USE_INET6" in CFLAGS, right? 

I found in our own kinit compilation (customized from MIT distribution), "-DKRB5_USE_INET6" is defined in krb5/src/Makefile. The library generated is a static one and will be linked into the executable kinit. Maybe that's why our Kerberos authentication can pass. 

When doing SASL binding, we are using the dynamic one libkrb5.so, which is not compiled from the module contained in kinit folder in our baseline. I guess "-DKRB5_USE_INET6" was not added into the CFLAGS when libkrb5.so was compiled.

Anyway, I will go to check it with OS team, who is building the dynamic library.

Thanks,
Xu Qiang

More information about the Kerberos mailing list