Hi, all: SASL LDAP binding will fail if Kerberos authentication server is configured with IPv6 address. It just can't recognize the IPv6 address, and would take it as a hostname. Note: authentication has no problem. The user is given access, but the onward LDAP binding fails.
The same problem happens when Kerberos authentication server is configured with hostname, while DNS server resolves this hostname to IPv6 address if the option "Prefer IPv6 over IPv4" is checked in the printer's WebUI. For example, the IPv6 address of the Kerberos server is "3ffe:2000:0:1:e0be:1872:d4f8:6b2c", and the authentication domain is "xcipv6.com". When MozLDAP (or SASL and its GSSAPI plugin) receives this IPv6 address, it would think the address is in a form of "hostname:port", and split the address at the first colon, and combine it with the domain name, to form an FQDN "3ffe.xcipv6.com". Then it would try to resolve this FQDN to get the IPv4 address. Of course, the resolving would lead to an error. The server to retrieve Kerberos TGT from can't be located, so TGS-REQ is never initiated and SASL binding can't go through. When I configure the printer to use IPv4 address of the Kerberos server, SASL LDAP binding works well. Anybody has seen this problem before? Any potential solution? I am not sure about which software goes wrong, e.g. MozLDAP, SASL (libsasl2.so), or GSSAPI plugin (libgssapiv2.so)? To begin with, I want to start from the Mozilla interface "ldap_sasl_interactive_bind_ext_s()". But I don't know to to debug. There are some log info like this: =================================================== LDAPDebug( LDAP_DEBUG_TRACE, "ldap_sasl_interactive_bind_s\n", 0, 0, 0 ); =================================================== But how to enable the debug switch? And where I should look into for the log file? What's the file's physical location? Thanks, Xu Qiang _______________________________________________ dev-tech-ldap mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-ldap
