[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Kerberos V4 SASL patches (server AND client) (ITS#1120) > If I recall your patch correctly (the URL provided is bad), the > changes are not portable across all protocol/address families.



 > If I recall your patch correctly (the URL provided is bad), the
 > changes are not portable across all protocol/address families.


In my working copy I'm checking for AF_INET in the result and only 
setting
addresses if it is really a V4 address. I've got a sinking feeling this
wasn't the version I took the patches from.  That version is correct,
since IP_REMOTE and IP_LOCAL are defined to be always be IPV4 addresses.
This breaks portability if there is no IPV4 support on the machine, but 
at
the moment this is assumed in a lot of places in the code.

  [ doh- just tried to get the right patches, and lost connectivity to 
UNC.
I'll mail you the patches when telocity decides to start routing to UNC
again - sample that hadn't scrolled out of the terminal buffer:
 >               struct sockaddr_in sin;
 >               int l;
 >               l = sizeof(sin);
 >               if(getsockname(lc->lconn_sb->sb_fd,(struct 
sockaddr*)&sin,&l)==
0 &&
 >                  sin.sin_family == AF_INET) {
 >                       sasl_setprop(ctx,SASL_IP_LOCAL, (void*)&sin);
 >               } ].

There are a few correct behaviours available. The approach I'm using will
work on IPV4 connections which have the kerberos4 plugin installed, and
does nothing with IPV6 connections.

This still isn't completely correct - I need to prevent the negotiation
mechanism from offering or picking KERBEROS_V4 in SASL negotiation over a
V6 connection, since KERBEROS_V4 is only defined for IPV4, and  
KERBEROS_V4 cannot be offered unless IP_REMOTE and IP_LOCAL are set.

slap_sasl_mechs has the Connection, so this is a pretty easy fix; ought 
to check in slap_sasl_bind just in case someone decides to try 
kerberos_v4 even when it isn't offered (not that this gains them 
anything).   Client side needs to strip KERBEROS_V4 before calling 
sasl_client_start - socket is available in ldap_int_sasl_bind before 
this point so it's also a clean change.

If I could connect I would have already made this changes :-)

Do this make you feel any more comfortable?

Simon
p.s.
  With these changes in place, openldap interoperates beautifully with 
JNDI and kerberos sasl