On Thu, Aug 13, 2009 at 4:21 AM, Xu, Qiang (FXSGSC)<[email protected]> wrote: > Yes, in my testing, OpenLDAP utility ldapsearch also works well with IPv6 > address in /etc/krb5.conf when doing SASL binding. > > Although we are using Mozilla LDAP library, I don't think it is MozLDAP's > fault, coz it doesn't pass anything related to Kerberos authentication server > to Cyrus-SASL library. And Cyrus-SASL can be cleared of any wrongdoing as > well, coz the same package is used in OpenLDAP testing.
SASL does not imply Kerberos. SASL accepts a mechanism, in this case GSSAPI, so you're actually performing a SASL/GSSAPI bind. GSSAPI also does not imply Kerberos, though krb5 is the predominant GSSAPI mechanism. In short, SASL does not interact with kerberos in any way, and doesn't need to know anything about the kerberos servers, that's all done in libkrb5, with libgssapi_krb5 in front of that. I'm fairly certain there is a bug in MozLDAP where it won't use IPv6 for LDAP queries, at least as reported by a colleague of mine. That doesn't look like your problem here, though. > In the machine where I did OpenLDAP testing, it was using original MIT > distribtution, so MIT Kerberos package should be good. Our printer fails to > locate Kerberos server in SASL binding, probably due to we are using a > customized MIT distribution. I've got to check with OS team about this. > > By the way, I downloaded MIT Kerberos v1.7 distribtution, in which I found > the possible place to locate the Kerberos server is in > "krb5-1.7/src/lib/krb5/locate_kdc.c". In that file, getaddrinfo() is used to > resolve the kdc entry in /etc/krb5.conf. Maybe some other files are also > related, I am not very sure. Anyway, this seems the only library that is > tasked to resolve hostname to IP address and find the Kerberos server. Am I > right on this? getaddrinfo() doesn't do the name lookup, getnameinfo() is what actually does that. I'm not sure if that's the function MIT Kerberos uses, but getnameinfo() should be protocol agnostic. --andy ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
