IPv6 handling in SASL LDAP binding

Xu, Qiang (FXSGSC) Qiang.Xu at fujixerox.com
Thu Aug 13 06:41:03 EDT 2009 

> -----Original Message-----
> From: Andrew Cobaugh [mailto:phalenor at gmail.com] 
> Sent: Friday, August 07, 2009 9:00 PM
> To: Xu, Qiang (FXSGSC)
> Cc: kerberos at mit.edu
> Subject: Re: IPv6 handling in SASL LDAP binding
> 
> When you say things like "configured the Kerberos server with 
> hostname" what do you mean? Changing kdc lines in 
> /etc/krb5.conf ? MIT kerberos and their GSSAPI library 
> definitely support IPv6. Tools like ldapsearch work fine 
> while doing a SASL/GSSAPI bind using a hostname with AAAA 
> records as well as specifying the v6 address in brackets, so 
> I think you can eliminate all of these as problems. The only 
> difference is if you're using one of mozilla's products to do 
> LDAP, they have their own LDAP library, MozLDAP as you mentioned.

Just realized that MIT Kerberos distribution doesn't support the numerical IPv6 address in /etc/krb5.conf:
=========================================================
[libdefaults]
	default_realm = XCIPV6.COM

[realms]
	XCIPV6.COM = {
		kdc = [3ffe:2000:0:1::100]:88
	}
=========================================================
This is because the code in krb5-1.7/src/lib/krb5/os/locate_kdc.c doesn't support this kdc form.

Kerberos authentication from our printer is successful with this kind of configuration, is due to customization made by Xerox developers. Since LDAP SASL binding uses the dynamic libkrb5.so without this customization, while the authentication uses the static libkrb5.a (linked to the executable kinit), it is no wonder the results are different.

My testing with OpenLDAP is successful, because kdc is set into hostname: 
=========================================================
[realms]
 XCIPV6.COM = {
  kdc = crius:88
  default_domain = xcipv6.com
 }
=========================================================
I remember that in my testing, I manually filled numerical IPv6 address "[3ffe:2000:0:1::100]:88" into the kdc entry, but ldapsearch would report an error. 

Everything is clear now. I will turn to OS team to seek help.

P.S. Can I ask why the numerical IPv6 address is not supported in MIT distribution?

Thanks,
Xu Qiang

More information about the Kerberos mailing list