IPv6 handling in SASL LDAP binding

Andrew Cobaugh phalenor at gmail.com
Thu Aug 13 09:13:13 EDT 2009 

On Thu, Aug 13, 2009 at 4:21 AM, Xu, Qiang
(FXSGSC)<Qiang.Xu at fujixerox.com> wrote:
> Yes, in my testing, OpenLDAP utility ldapsearch also works well with IPv6 address in /etc/krb5.conf when doing SASL binding.
>
> Although we are using Mozilla LDAP library, I don't think it is MozLDAP's fault, coz it doesn't pass anything related to Kerberos authentication server to Cyrus-SASL library. And Cyrus-SASL can be cleared of any wrongdoing as well, coz the same package is used in OpenLDAP testing.

SASL does not imply Kerberos. SASL accepts a mechanism, in this case
GSSAPI, so you're actually performing a SASL/GSSAPI bind. GSSAPI also
does not imply Kerberos, though krb5 is the predominant GSSAPI
mechanism. In short, SASL does not interact with kerberos in any way,
and doesn't need to know anything about the kerberos servers, that's
all done in libkrb5, with libgssapi_krb5 in front of that.

I'm fairly certain there is a bug in MozLDAP where it won't use IPv6
for LDAP queries, at least as reported by a colleague of mine. That
doesn't look like your problem here, though.

> In the machine where I did OpenLDAP testing, it was using original MIT distribtution, so MIT Kerberos package should be good. Our printer fails to locate Kerberos server in SASL binding, probably due to we are using a customized MIT distribution. I've got to check with OS team about this.
>
> By the way, I downloaded MIT Kerberos v1.7 distribtution, in which I found the possible place to locate the Kerberos server is in "krb5-1.7/src/lib/krb5/locate_kdc.c". In that file, getaddrinfo() is used to resolve the kdc entry in /etc/krb5.conf. Maybe some other files are also related, I am not very sure. Anyway, this seems the only library that is tasked to resolve hostname to IP address and find the Kerberos server. Am I right on this?

getaddrinfo() doesn't do the name lookup, getnameinfo() is what
actually does that. I'm not sure if that's the function MIT Kerberos
uses, but getnameinfo() should be protocol agnostic.

--andy

More information about the Kerberos mailing list