[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Finding Kerberos server from IPv6 address in SASL binding

To: "Xu, Qiang (FXSGSC)" <Qiang.Xu@fujixerox.com>
Subject: Re: Finding Kerberos server from IPv6 address in SASL binding
From: Howard Chu <hyc@symas.com>
Date: Fri, 07 Aug 2009 01:04:37 -0700
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <D8C9BC7FFCF8154FB7141EB8DB609C172E71C06620@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
References: <D8C9BC7FFCF8154FB7141EB8DB609C172E6F0B2FB2@SGPAPHQ-EXSCC01.dc01.fujixerox.net> <4A31E76E.20905@symas.com> <D8C9BC7FFCF8154FB7141EB8DB609C172E6F10649B@SGPAPHQ-EXSCC01.dc01.fujixerox.net> <4A323772.8090102@stroeder.com> <D8C9BC7FFCF8154FB7141EB8DB609C172E71BF2320@SGPAPHQ-EXSCC01.dc01.fujixerox.net> <4A7BB862.1020902@symas.com> <D8C9BC7FFCF8154FB7141EB8DB609C172E71BF2382@SGPAPHQ-EXSCC01.dc01.fujixerox.net> <4A7BC7B3.4070901@symas.com> <D8C9BC7FFCF8154FB7141EB8DB609C172E71C06620@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; rv:1.9.1b5pre) Gecko/20090630 SeaMonkey/2.0a1pre Firefox/3.0.3

Xu, Qiang (FXSGSC) wrote:

-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Friday, August 07, 2009 2:21 PM
To: Xu, Qiang (FXSGSC)
Cc: openldap-technical@openldap.org
Subject: Re: Finding Kerberos server from IPv6 address in SASL binding

By default, on an OS that supports IPv6, libldap will use
getnameinfo() to do the reverse lookup from the address. If
your system's resolver is configured correctly, and your DNS
is configured correctly, then this should return the
canonical hostname corresponding to the IP address. The
result of this call is used in the sasl_client_new() function
as the name of the remote host, and so will be passed on to
the GSSAPI plugin.

By the way, sasl_client_new() connects to the Kerberos server, or the LDAP

server? I suppose it is the former, isn't it?

Your use of terminology here is unclear. The subject implies that you'reasking about the IP address of the Kerberized server, i.e., the server thatwill use a service ticket from a client to authenticate the client. This isobviously the same machine as the LDAP server, since it is in fact that LDAPserver you're trying to authenticate to.

If you're actually talking about the Kerberos KDC, which hands out tickets toclients, its address obviously has nothing to do with any IPv6 address thatOpenLDAP passed to SASL.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- RE: Finding Kerberos server from IPv6 address in SASL binding
  - From: "Xu, Qiang (FXSGSC)" <Qiang.Xu@fujixerox.com>

References:
- Finding Kerberos server from IPv6 address in SASL binding
  - From: "Xu, Qiang (FXSGSC)" <Qiang.Xu@fujixerox.com>
- Re: Finding Kerberos server from IPv6 address in SASL binding
  - From: Howard Chu <hyc@symas.com>
- RE: Finding Kerberos server from IPv6 address in SASL binding
  - From: "Xu, Qiang (FXSGSC)" <Qiang.Xu@fujixerox.com>
- Re: Finding Kerberos server from IPv6 address in SASL binding
  - From: Howard Chu <hyc@symas.com>
- RE: Finding Kerberos server from IPv6 address in SASL binding
  - From: "Xu, Qiang (FXSGSC)" <Qiang.Xu@fujixerox.com>

Prev by Date: Re: Finding Kerberos server from IPv6 address in SASL binding
Next by Date: RE: Finding Kerberos server from IPv6 address in SASL binding
Index(es):
- Chronological
- Thread