On Fri, Aug 7, 2009 at 4:28 AM, Xu, Qiang (FXSGSC)<[email protected]> wrote: > Since it seems MozLDAP didn't pass any info related to Kerberos > authentication server to Cyrus-SASL, can I understand that Cyrus-SASL obtain > the Kerberos authentication server's whereabout from the ticket? But there is > only an LDAP server's service principle in the ticket > (ldap/[email protected]). It doesn't reveal the authentication > server's address or hostname, does it?
MozLDAP, so are you using thunderbird or something then? I think there is a bug in MozLDAP where it's unable to perform any queries over IPv6 when the given hostname has both AAAA and A records. A colleague of mine just came across this the other day. Can you try eliminating SASL from the equation altogether and see if whatever you're using can query over IPv6 while doing an anonymous bind? When you say things like "configured the Kerberos server with hostname" what do you mean? Changing kdc lines in /etc/krb5.conf ? MIT kerberos and their GSSAPI library definitely support IPv6. Tools like ldapsearch work fine while doing a SASL/GSSAPI bind using a hostname with AAAA records as well as specifying the v6 address in brackets, so I think you can eliminate all of these as problems. The only difference is if you're using one of mozilla's products to do LDAP, they have their own LDAP library, MozLDAP as you mentioned. --andy ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
