[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Kerberos V4 SASL patches (server AND client) (ITS#1120) > If I recall your patch correctly (the URL provided is bad), the > changes are not portable across all protocol/address families.
- To: openldap-its@OpenLDAP.org
- Subject: Re: Kerberos V4 SASL patches (server AND client) (ITS#1120) > If I recall your patch correctly (the URL provided is bad), the > changes are not portable across all protocol/address families.
- From: ses@unc.edu
- Date: Thu, 3 May 2001 03:53:13 GMT
> If I recall your patch correctly (the URL provided is bad), the
> changes are not portable across all protocol/address families.
In my working copy I'm checking for AF_INET in the result and only
setting
addresses if it is really a V4 address. I've got a sinking feeling this
wasn't the version I took the patches from. That version is correct,
since IP_REMOTE and IP_LOCAL are defined to be always be IPV4 addresses.
This breaks portability if there is no IPV4 support on the machine, but
at
the moment this is assumed in a lot of places in the code.
[ doh- just tried to get the right patches, and lost connectivity to
UNC.
I'll mail you the patches when telocity decides to start routing to UNC
again - sample that hadn't scrolled out of the terminal buffer:
> struct sockaddr_in sin;
> int l;
> l = sizeof(sin);
> if(getsockname(lc->lconn_sb->sb_fd,(struct
sockaddr*)&sin,&l)==
0 &&
> sin.sin_family == AF_INET) {
> sasl_setprop(ctx,SASL_IP_LOCAL, (void*)&sin);
> } ].
There are a few correct behaviours available. The approach I'm using will
work on IPV4 connections which have the kerberos4 plugin installed, and
does nothing with IPV6 connections.
This still isn't completely correct - I need to prevent the negotiation
mechanism from offering or picking KERBEROS_V4 in SASL negotiation over a
V6 connection, since KERBEROS_V4 is only defined for IPV4, and
KERBEROS_V4 cannot be offered unless IP_REMOTE and IP_LOCAL are set.
slap_sasl_mechs has the Connection, so this is a pretty easy fix; ought
to check in slap_sasl_bind just in case someone decides to try
kerberos_v4 even when it isn't offered (not that this gains them
anything). Client side needs to strip KERBEROS_V4 before calling
sasl_client_start - socket is available in ldap_int_sasl_bind before
this point so it's also a clean change.
If I could connect I would have already made this changes :-)
Do this make you feel any more comfortable?
Simon
p.s.
With these changes in place, openldap interoperates beautifully with
JNDI and kerberos sasl