moved from Incoming to Contrib

If I recall your patch correctly (the URL provided is bad), the
changes are not portable across all protocol/address families.

Kurt 

changed state Open to Suspended

moved from Contrib to Software Bugs

 > If I recall your patch correctly (the URL provided is bad), the
 > changes are not portable across all protocol/address families.


In my working copy I'm checking for AF_INET in the result and only 
setting
addresses if it is really a V4 address. I've got a sinking feeling this
wasn't the version I took the patches from.  That version is correct,
since IP_REMOTE and IP_LOCAL are defined to be always be IPV4 addresses.
This breaks portability if there is no IPV4 support on the machine, but 
at
the moment this is assumed in a lot of places in the code.

  [ doh- just tried to get the right patches, and lost connectivity to 
UNC.
I'll mail you the patches when telocity decides to start routing to UNC
again - sample that hadn't scrolled out of the terminal buffer:
 >               struct sockaddr_in sin;
 >               int l;
 >               l = sizeof(sin);
 >               if(getsockname(lc->lconn_sb->sb_fd,(struct 
sockaddr*)&sin,&l)==
0 &&
 >                  sin.sin_family == AF_INET) {
 >                       sasl_setprop(ctx,SASL_IP_LOCAL, (void*)&sin);
 >               } ].

There are a few correct behaviours available. The approach I'm using will
work on IPV4 connections which have the kerberos4 plugin installed, and
does nothing with IPV6 connections.

This still isn't completely correct - I need to prevent the negotiation
mechanism from offering or picking KERBEROS_V4 in SASL negotiation over a
V6 connection, since KERBEROS_V4 is only defined for IPV4, and  
KERBEROS_V4 cannot be offered unless IP_REMOTE and IP_LOCAL are set.

slap_sasl_mechs has the Connection, so this is a pretty easy fix; ought 
to check in slap_sasl_bind just in case someone decides to try 
kerberos_v4 even when it isn't offered (not that this gains them 
anything).   Client side needs to strip KERBEROS_V4 before calling 
sasl_client_start - socket is available in ldap_int_sasl_bind before 
this point so it's also a clean change.

If I could connect I would have already made this changes :-)

Do this make you feel any more comfortable?

Simon
p.s.
  With these changes in place, openldap interoperates beautifully with 
JNDI and kerberos sasl

 > If I recall your patch correctly (the URL provided is bad), the
 > changes are not portable across all protocol/address families.


In my working copy I'm checking for AF_INET in the result and only 
setting
addresses if it is really a V4 address. I've got a sinking feeling this
wasn't the version I took the patches from.  That version is correct,
since IP_REMOTE and IP_LOCAL are defined to be always be IPV4 addresses.
This breaks portability if there is no IPV4 support on the machine, but 
at
the moment this is assumed in a lot of places in the code.

  [ doh- just tried to get the right patches, and lost connectivity to 
UNC.
I'll mail you the patches when telocity decides to start routing to UNC
again - sample that hadn't scrolled out of the terminal buffer:
 >               struct sockaddr_in sin;
 >               int l;
 >               l = sizeof(sin);
 >               if(getsockname(lc->lconn_sb->sb_fd,(struct 
sockaddr*)&sin,&l)==
0 &&
 >                  sin.sin_family == AF_INET) {
 >                       sasl_setprop(ctx,SASL_IP_LOCAL, (void*)&sin);
 >               } ].

There are a few correct behaviours available. The approach I'm using will
work on IPV4 connections which have the kerberos4 plugin installed, and
does nothing with IPV6 connections.

This still isn't completely correct - I need to prevent the negotiation
mechanism from offering or picking KERBEROS_V4 in SASL negotiation over a
V6 connection, since KERBEROS_V4 is only defined for IPV4, and  
KERBEROS_V4 cannot be offered unless IP_REMOTE and IP_LOCAL are set.

slap_sasl_mechs has the Connection, so this is a pretty easy fix; ought 
to check in slap_sasl_bind just in case someone decides to try 
kerberos_v4 even when it isn't offered (not that this gains them 
anything).   Client side needs to strip KERBEROS_V4 before calling 
sasl_client_start - socket is available in ldap_int_sasl_bind before 
this point so it's also a clean change.

If I could connect I would have already made this changes :-)

Do this make you feel any more comfortable?

Simon
p.s.
  With these changes in place, openldap interoperates beautifully with 
JNDI and kerberos sasl

At 08:53 PM 5/2/01, ses@unc.edu wrote:
>Do this make you feel any more comfortable?

My primary concern is for the code to only set the parameters
when IPv4 is used.  As far as the other issues, I assume only
those who care to use KERBEROS_IV will install the mechanisms.
As far as issue of when it should be chosen or not is actual
best done by Cyrus SASL.

BTW, I assume you are aware of the Cyrus KRB4_IGNORE_IP_ADDRESS
flag.

Kurt

"Kurt D. Zeilenga" wrote:

> At 08:53 PM 5/2/01, ses@unc.edu wrote:
> >Do this make you feel any more comfortable?
>
> My primary concern is for the code to only set the parameters when
> IPv4 is used.

> As far as the other issues, I assume only those who care to use
> KERBEROS_IV will install the mechanisms. As far as issue of when it
> should be chosen or not is actual best done by Cyrus SASL.

That is the right place, but would require the library to insist that
all properties that might be to have already been set before listmechs
is called (which is reasonable, but is different from current behaviour,
which just requires them to be set before the mechanism is used). That
might be feasible (it wouldn't break cyrus-imapd).  I'll bounce it off
the cmu folks.

> BTW, I assume you are aware of the Cyrus KRB4_IGNORE_IP_ADDRESS

This doesn't knock out all the getprops of these fields - just one of
them :-(

Simon

moved from Software Bugs to Software Enhancements

moved from Software Enhancements to Contrib

changed notes

changed state Suspended to Feedback

changed notes

changed notes
changed state Feedback to Suspended

changed notes
changed state Suspended to Closed

changed notes
changed state Closed to Suspended

changed notes
changed state Suspended to Closed

moved from Contrib to Archive.Contrib

KerberosIV SASL works in HEAD and RE21.