[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL LDAP binding over IPv6

Xu, Qiang (FXSGSC) wrote:
Hi, all:

In using ldapsearch to bind to a server with IPv6 address, some error pops up:
qxu@durian(pts/3):/etc[133]$ kinit XCTEST100@XCIPV6.COM Password for XCTEST100@XCIPV6.COM:

qxu@durian(pts/3):/etc[134]$ klist
Ticket cache: FILE:/tmp/krb5cc_20153
Default principal: XCTEST100@XCIPV6.COM

Valid starting     Expires            Service principal
06/09/09 17:35:18  06/10/09 03:34:41  krbtgt/XCIPV6.COM@XCIPV6.COM
         renew until 06/10/09 17:35:18

qxu@durian(pts/3):/etc[135]$ ldapsearch -Y GSSAPI -H 'ldap://3ffe:2000:0:1:e0be:1872:d4f8:6b2c' -b 'dc=xcipv6,dc=com' -s sub -LLL 'cn=XCTEST100' mail
Could not create LDAP session handle for URI=ldap://3ffe:2000:0:1:e0be:1872:d4f8:6b2c (-9): Bad parameter to an ldap routine

qxu@durian(pts/3):/etc[136]$ ldapsearch -Y GSSAPI -H 'ldap://[3ffe:2000:0:1:e0be:1872:d4f8:6b2c]' -b 'dc=xcipv6,dc=com' -s sub -LLL 'cn=XCTEST100' mail
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
         additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)
Shall I add the brackets [] around the IPv6 address?

Yes, that is required for IPv6 addresses in URLs.

DNS server has been correctly set up, because sasl binding over IPv4 address is good.

Any possible reason for the failure of ldapsearch?

ldapsearch didn't fail, the GSSAPI/Kerberos library did. It was unable to match the provided IP address to the name of a Kerberos server principal. In general, Kerberos requires valid hostnames, it doesn't work well with numeric addresses.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/