[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Finding Kerberos server from IPv6 address in SASL binding

Xu, Qiang (FXSGSC) wrote:
-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Friday, August 07, 2009 2:21 PM
To: Xu, Qiang (FXSGSC)
Cc: openldap-technical@openldap.org
Subject: Re: Finding Kerberos server from IPv6 address in SASL binding

By default, on an OS that supports IPv6, libldap will use
getnameinfo() to do the reverse lookup from the address. If
your system's resolver is configured correctly, and your DNS
is configured correctly, then this should return the
canonical hostname corresponding to the IP address. The
result of this call is used in the sasl_client_new() function
as the name of the remote host, and so will be passed on to
the GSSAPI plugin.

By the way, sasl_client_new() connects to the Kerberos server, or the LDAP
server? I suppose it is the former, isn't it?

Your use of terminology here is unclear. The subject implies that you're asking about the IP address of the Kerberized server, i.e., the server that will use a service ticket from a client to authenticate the client. This is obviously the same machine as the LDAP server, since it is in fact that LDAP server you're trying to authenticate to.

If you're actually talking about the Kerberos KDC, which hands out tickets to clients, its address obviously has nothing to do with any IPv6 address that OpenLDAP passed to SASL.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/