Full_Name: Simon Spero Version: -current OS: OpenBSD URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (152.2.246.198) FUrther to previous report (1106), patches now available for client and server in http://www.ibilio.org/ses/kerberos/ Simon
moved from Incoming to Contrib
If I recall your patch correctly (the URL provided is bad), the changes are not portable across all protocol/address families. Kurt
changed state Open to Suspended
moved from Contrib to Software Bugs
> If I recall your patch correctly (the URL provided is bad), the > changes are not portable across all protocol/address families. In my working copy I'm checking for AF_INET in the result and only setting addresses if it is really a V4 address. I've got a sinking feeling this wasn't the version I took the patches from. That version is correct, since IP_REMOTE and IP_LOCAL are defined to be always be IPV4 addresses. This breaks portability if there is no IPV4 support on the machine, but at the moment this is assumed in a lot of places in the code. [ doh- just tried to get the right patches, and lost connectivity to UNC. I'll mail you the patches when telocity decides to start routing to UNC again - sample that hadn't scrolled out of the terminal buffer: > struct sockaddr_in sin; > int l; > l = sizeof(sin); > if(getsockname(lc->lconn_sb->sb_fd,(struct sockaddr*)&sin,&l)== 0 && > sin.sin_family == AF_INET) { > sasl_setprop(ctx,SASL_IP_LOCAL, (void*)&sin); > } ]. There are a few correct behaviours available. The approach I'm using will work on IPV4 connections which have the kerberos4 plugin installed, and does nothing with IPV6 connections. This still isn't completely correct - I need to prevent the negotiation mechanism from offering or picking KERBEROS_V4 in SASL negotiation over a V6 connection, since KERBEROS_V4 is only defined for IPV4, and KERBEROS_V4 cannot be offered unless IP_REMOTE and IP_LOCAL are set. slap_sasl_mechs has the Connection, so this is a pretty easy fix; ought to check in slap_sasl_bind just in case someone decides to try kerberos_v4 even when it isn't offered (not that this gains them anything). Client side needs to strip KERBEROS_V4 before calling sasl_client_start - socket is available in ldap_int_sasl_bind before this point so it's also a clean change. If I could connect I would have already made this changes :-) Do this make you feel any more comfortable? Simon p.s. With these changes in place, openldap interoperates beautifully with JNDI and kerberos sasl
At 08:53 PM 5/2/01, ses@unc.edu wrote: >Do this make you feel any more comfortable? My primary concern is for the code to only set the parameters when IPv4 is used. As far as the other issues, I assume only those who care to use KERBEROS_IV will install the mechanisms. As far as issue of when it should be chosen or not is actual best done by Cyrus SASL. BTW, I assume you are aware of the Cyrus KRB4_IGNORE_IP_ADDRESS flag. Kurt
"Kurt D. Zeilenga" wrote: > At 08:53 PM 5/2/01, ses@unc.edu wrote: > >Do this make you feel any more comfortable? > > My primary concern is for the code to only set the parameters when > IPv4 is used. > As far as the other issues, I assume only those who care to use > KERBEROS_IV will install the mechanisms. As far as issue of when it > should be chosen or not is actual best done by Cyrus SASL. That is the right place, but would require the library to insist that all properties that might be to have already been set before listmechs is called (which is reasonable, but is different from current behaviour, which just requires them to be set before the mechanism is used). That might be feasible (it wouldn't break cyrus-imapd). I'll bounce it off the cmu folks. > BTW, I assume you are aware of the Cyrus KRB4_IGNORE_IP_ADDRESS This doesn't knock out all the getprops of these fields - just one of them :-( Simon
moved from Software Bugs to Software Enhancements
moved from Software Enhancements to Contrib
changed notes
changed state Suspended to Feedback
changed notes changed state Feedback to Suspended
changed notes changed state Suspended to Closed
changed notes changed state Closed to Suspended
moved from Contrib to Archive.Contrib
KerberosIV SASL works in HEAD and RE21.