[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Finding Kerberos server from IPv6 address in SASL binding

> -----Original Message-----
> From: Howard Chu [mailto:hyc@symas.com] 
> Sent: Friday, August 07, 2009 2:21 PM
> To: Xu, Qiang (FXSGSC)
> Cc: openldap-technical@openldap.org
> Subject: Re: Finding Kerberos server from IPv6 address in SASL binding
> By default, on an OS that supports IPv6, libldap will use 
> getnameinfo() to do the reverse lookup from the address. If 
> your system's resolver is configured correctly, and your DNS 
> is configured correctly, then this should return the 
> canonical hostname corresponding to the IP address. The 
> result of this call is used in the sasl_client_new() function 
> as the name of the remote host, and so will be passed on to 
> the GSSAPI plugin.

After kinit, there is a Kerberos TGT:
qxu@durian(pts/2):/usr/lib[115]$ klist
Ticket cache: FILE:/tmp/krb5cc_20153
Default principal: XCTEST100@XCIPV6.COM

Valid starting     Expires            Service principal
08/07/09 13:19:18  08/07/09 23:20:45  krbtgt/XCIPV6.COM@XCIPV6.COM
        renew until 08/08/09 13:19:18
08/07/09 13:22:00  08/07/09 23:20:45  ldap/crius.xcipv6.com@XCIPV6.COM
        renew until 08/08/09 13:19:18

Kerberos 4 ticket cache: /tmp/tkt20153
klist: You have no tickets cached
Since it seems OpenLDAP didn't pass any info related to Kerberos authentication server to Cyrus-SASL, can I understand that Cyrus-SASL obtain the Kerberos authentication server's whereabout from the ticket? But there is only an LDAP server's service principle in the ticket (ldap/crius.xcipv6.com@XCIPV6.COM). It doesn't reveal the authentication server's address or hostname, does it?

Hope you can clarify the issue, Howard!
Xu Qiang