[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Finding Kerberos server from IPv6 address in SASL binding

Xu, Qiang (FXSGSC) wrote:
-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Friday, August 07, 2009 2:21 PM
To: Xu, Qiang (FXSGSC)
Cc: openldap-technical@openldap.org
Subject: Re: Finding Kerberos server from IPv6 address in SASL binding

By default, on an OS that supports IPv6, libldap will use
getnameinfo() to do the reverse lookup from the address. If
your system's resolver is configured correctly, and your DNS
is configured correctly, then this should return the
canonical hostname corresponding to the IP address. The
result of this call is used in the sasl_client_new() function
as the name of the remote host, and so will be passed on to
the GSSAPI plugin.

After kinit, there is a Kerberos TGT:
qxu@durian(pts/2):/usr/lib[115]$ klist
Ticket cache: FILE:/tmp/krb5cc_20153
Default principal: XCTEST100@XCIPV6.COM

Valid starting     Expires            Service principal
08/07/09 13:19:18  08/07/09 23:20:45  krbtgt/XCIPV6.COM@XCIPV6.COM
         renew until 08/08/09 13:19:18
08/07/09 13:22:00  08/07/09 23:20:45  ldap/crius.xcipv6.com@XCIPV6.COM
         renew until 08/08/09 13:19:18

Kerberos 4 ticket cache: /tmp/tkt20153
klist: You have no tickets cached
Since it seems OpenLDAP didn't pass any info related to Kerberos
authentication server to Cyrus-SASL, can I understand that Cyrus-SASL obtain
the Kerberos authentication server's whereabout from the ticket? But there is
only an LDAP server's service principle in the ticket
(ldap/crius.xcipv6.com@XCIPV6.COM). It doesn't reveal the authentication
server's address or hostname, does it?

Hope you can clarify the issue, Howard!

This is why we tell people "make sure you have Kerberos working on its own before trying to integrate with LDAP" - you're expected to already understand how Kerberos works. You're expected to have gained this understanding by working through getting a Kerberos setup off the ground...

How a Kerberized client finds the relevant KDC is purely a Kerberos issue, and it's outside the scope of these mailing lists. Suffice to say, when you have Kerberos configured correctly on your machine, the Kerberos library will find the right KDC. It obviously has already done so in order to authenticate you originally at kinit time, and the fact that you have a TGT shows that it was successful.

If you want to pursue this question further, please do so on a Kerberos support mailing list; it has nothing to do with SASL or LDAP.
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/