Re: SASL LDAP binding over IPv6

[Howard Chu <hyc@symas.com>]

Xu, Qiang (FXSGSC) wrote:
> > -----Original Message-----
> > From: Howard Chu [mailto:hyc@symas.com]
> > Sent: Friday, June 12, 2009 1:28 PM
> > To: Xu, Qiang (FXSGSC)
> > Cc: openldap-technical@openldap.org
> > Subject: Re: SASL LDAP binding over IPv6
> >
> > Yes, that is required for IPv6 addresses in URLs.
>
> Thanks, Howard. Just off-topic for a shot while, does this mean that when I am doing SASL binding over IPv6 address, it also must be surrounded by brackets?
>
> > ldapsearch didn't fail, the GSSAPI/Kerberos library did. It
> > was unable to match the provided IP address to the name of a
> > Kerberos server principal. In general, Kerberos requires
> > valid hostnames, it doesn't work well with numeric addresses.
>
> But it can work well with numeric IPv6 addresses in simple binding. And when working with IPv4 addresss, SASL binding is also successful, coz it will initiate a reverse nslookup to find out FQDN of the LDAP server. So, why it can't deal with numeric addresses in IPv6? Kind of strange.
>
> Is it possible that in the server, there isn't SPN for IPv6 address, but only IPv4?

That's a question for your Kerberos admin to answer.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/