[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL LDAP binding over IPv6

Xu, Qiang (FXSGSC) wrote:
> Just to let you guys know that Howard is correct. In dealing with
> IPv6 address, we must provide hostname to ldapsearch command. The
> numeric address doesn't work. In contrast, if the server only has
> IPv4 address, then providng hostname is optional, i.e. we can also
> supply IPv4 address directly to ldapsearch command.
> So, generally, when we don't know which one of the two addresses
> (IPv6 and IPv4) the server is prioritized upon, we had better always
> provide hostname to ldapsearch command, when doing SASL bindings.

Even with IPv4 addresses I had some issues when using SASL bind to MS AD
(with OpenLDAP's ldapsearch tool). And this not only with GSSAPI mech.
Also AD is picky with DIGEST-MD5.

So in general: If you have any issues with SASL bind and MS AD examine
your DNS and the attribute servicePrincipalName of the used service
account and fix related DNS RRs if needed.

Ciao, Michael.