[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL couldn't get local IP address (ITS#620)

Redirected to devel for discussion...

At 06:10 PM 7/10/00 +0000, adamson@cmu.edu wrote:

>Full_Name: Mark Adamson
>Version: DEV Beta
>OS: Solaris 2.7
>URL: http://nil.andrew.cmu.edu/ldap/sasl_setip.gdiff
>Submission from: (NULL) (
>I'm running the BETA version of OpenLDAP, downloaded July 7th. I was
>testing the SASL authentication implementation, using the KERBEROS_V4
>mechanism. I was getting the following message from client programs:
>ldap_negotiated_sasl_bind_s: Unknown error
>        additional info: couldn't get local IP address

Yes.  The server currently doesn't set local/remote IP addresses.
Originally, this was an oversight.  However, I was considering
whether or not to set them (on both sides) as we do not always have
an IPv4 address available (could be IPv6 or ldapi://).

In looking at Cyrus SASL code, only the KerberosV4 mechanism
makes use of the local/remote IPv4 addresses.  In fact, if you
compile Cyrus SASL with KRB4_IGNORE_IP_ADDRESS, the local/remote
IPv4 addresses are only needed if you are using security layers.

I was hoping we wouldn't have to support security layers with
KerberosV4 (instead use GSSAPI or other mechanisms which don't
require local/remote IPv4 addresses).

If we do need to set local/remote IPv4 addresses, we need to
only do it when they are available.   Theses should be obtained
from getsockname() and getpeername() respectively... then checking
to ensure the address family is AF_INET before passing them to
Cyrus SASL.

Anyways, both client and (patched) server codes would need some

It's likely best that this work be deferred until I complete
the SASL coding I'm working on (security layers, SASL external,
re-authentication, etc.).  I should have this code committed
within a day or two.