Perl Sasl GSSAPI and

Tue, 14 Apr 2009 04:27:27 -0700 

I am having problems with Net::LDAP and the
patch by Dominic Hargreaves referenced at
http://git.goingon.net/?p=perl-ldap.git;a=commitdiff;h=af630673855d88c9a88e1f86ee0d068337562e91
for supporting Round-Robin based LDAP servers.
This is the code that is in the Net::LDAP Version 0.39.
I am looking for additional understanding or
confirmation of the problem.

The problem is in supporting SASL GSSAPI KRB5 authentication
to the server.  In the above patch, we change from calling
  $sasl->client_new("ldap", $ldap->{net_ldap_host});
To occasionally (often) calling
  $sasl->client_new("ldap", $ldap->{net_ldapsocket}->peerhost);
This change presumably allows SASL to whichever IP address
was chosen from the list instead of the more generic
round-robin hostname with multiple IP addresses.

The net_ldap_host is the domain name,
while peerhost is the ip address.

For my specific case, it is a change from
  $sasl->client_new("ldap", "spelt.srv.cs.cmu.edu");
to
  $sasl->client_new("ldap", "128.2.203.46");

This means that $sasl->host
  was "spelt.srv.cs.cmu.edu" before the patch
  is now "128.2.203.46" after the patch.

The problem is in how this $sasl->host value is used
in Authen::SASL::Perl::GSSAPI .  Specifically, in
client_start we do
  my $principal = $self->service . '@' . @self->host;

In my specific case, it changes from
  $principal = 'l...@spelt.srv.cs.cmu.edu'
to
  $principal = 'l...@128.2.203.46'


We pass that principal into
  # GSSAPI::Name->import is the *constructor*,
  # storing the new GSSAPI::Name into $target.
  # GSSAPI::Name->import is not the standard
  # import() method as used in Perl normally
  my $target;
  $status = GSSAPI::Name->import($target, $principal, gss_nt_service_name)
   or return $self->set_error("GSSAPI Error : ".$status);

The problem is in how the principal is used.  In all of the
examples and documentation I can find, we use GSSAPI against
a serv...@domain.name and never against serv...@ip.address .

Because, with that change, when I use a principal of
  'l...@spelt.srv.cs.cmu.edu'
it works.  But when I do 
   'l...@128.2.203.46'
I get the following error
  SASL(-1): generic failure: 
  GSSAPI Error: 
    Miscellaneous failure (see text) (Server (krbtgt/2.203...@cs.cmu.edu) 

I started browsing the GSSAPI source and got lost.
Perhaps it is a difference between the MIT Kerberos and
our Heimdal kerberos that is causing this problem.
But using serv...@ip.address with GSSAPI just seems wrong to me.
Kerberos credentials are issued to domains and or hostss
and not IP addresses.

If you have insight, comments, or questions, please feel
free to either
  - post them on this perl-ldap mailing list, or
  - contact me personally.

Reply via email to