[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Finding Kerberos server from IPv6 address in SASL binding

Xu, Qiang (FXSGSC) wrote:
-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Friday, August 07, 2009 1:15 PM
To: Xu, Qiang (FXSGSC)
Cc: openldap-technical@openldap.org
Subject: Re: Finding Kerberos server from IPv6 address in SASL binding

Have you read the ldapsearch(1) manpage? Have you already
tried the "-d" debug option?

Blushed... Just read the manpage carefully, and use the option "-d -1"
(ldap_log.h shows -1 means LDAP_DEBUG_ANY). I got screens of output, around
1000 lines.

However, from the output, I still can't figure out who in the process
the Kerberos server (resolved by DNS to IPv6 address) and sent out TGS-REQ.
Could you shed some light on it?

What OS are you running on, and what version of OpenLDAP are you using?

I suppose you could run ldapsearch -d -1 under strace, which ought to make it clear what the full sequence of events is.

By default, on an OS that supports IPv6, libldap will use getnameinfo() to do the reverse lookup from the address. If your system's resolver is configured correctly, and your DNS is configured correctly, then this should return the canonical hostname corresponding to the IP address. The result of this call is used in the sasl_client_new() function as the name of the remote host, and so will be passed on to the GSSAPI plugin.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/