[Date Prev][Date Next]
Re: Finding Kerberos server from IPv6 address in SASL binding
Xu, Qiang (FXSGSC) wrote:
From: Howard Chu [mailto:firstname.lastname@example.org]
Sent: Friday, August 07, 2009 1:15 PM
To: Xu, Qiang (FXSGSC)
Subject: Re: Finding Kerberos server from IPv6 address in SASL binding
Have you read the ldapsearch(1) manpage? Have you already
tried the "-d" debug option?
Blushed... Just read the manpage carefully, and use the option "-d -1"
(ldap_log.h shows -1 means LDAP_DEBUG_ANY). I got screens of output, around
However, from the output, I still can't figure out who in the process
the Kerberos server (resolved by DNS to IPv6 address) and sent out TGS-REQ.
Could you shed some light on it?
What OS are you running on, and what version of OpenLDAP are you using?
I suppose you could run ldapsearch -d -1 under strace, which ought to make it
clear what the full sequence of events is.
By default, on an OS that supports IPv6, libldap will use getnameinfo() to do
the reverse lookup from the address. If your system's resolver is configured
correctly, and your DNS is configured correctly, then this should return the
canonical hostname corresponding to the IP address. The result of this call is
used in the sasl_client_new() function as the name of the remote host, and so
will be passed on to the GSSAPI plugin.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/