Xu, Qiang (FXSGSC) wrote:
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Friday, August 07, 2009 2:21 PM To: Xu, Qiang (FXSGSC) Cc: openldap-technical@openldap.org Subject: Re: Finding Kerberos server from IPv6 address in SASL binding
By default, on an OS that supports IPv6, libldap will use getnameinfo() to do the reverse lookup from the address. If your system's resolver is configured correctly, and your DNS is configured correctly, then this should return the canonical hostname corresponding to the IP address. The result of this call is used in the sasl_client_new() function as the name of the remote host, and so will be passed on to the GSSAPI plugin.
After kinit, there is a Kerberos TGT:
qxu@durian(pts/2):/usr/lib[115]$ klist Ticket cache: FILE:/tmp/krb5cc_20153 Default principal: XCTEST100@XCIPV6.COM
Valid starting Expires Service principal 08/07/09 13:19:18 08/07/09 23:20:45 krbtgt/XCIPV6.COM@XCIPV6.COM renew until 08/08/09 13:19:18 08/07/09 13:22:00 08/07/09 23:20:45 ldap/crius.xcipv6.com@XCIPV6.COM renew until 08/08/09 13:19:18
Kerberos 4 ticket cache: /tmp/tkt20153 klist: You have no tickets cached =================================================== Since it seems OpenLDAP didn't pass any info related to Kerberos
authentication server to Cyrus-SASL, can I understand that Cyrus-SASL obtain the Kerberos authentication server's whereabout from the ticket? But there is only an LDAP server's service principle in the ticket (ldap/crius.xcipv6.com@XCIPV6.COM). It doesn't reveal the authentication server's address or hostname, does it?
Hope you can clarify the issue, Howard!
This is why we tell people "make sure you have Kerberos working on its own before trying to integrate with LDAP" - you're expected to already understand how Kerberos works. You're expected to have gained this understanding by working through getting a Kerberos setup off the ground...
How a Kerberized client finds the relevant KDC is purely a Kerberos issue, and it's outside the scope of these mailing lists. Suffice to say, when you have Kerberos configured correctly on your machine, the Kerberos library will find the right KDC. It obviously has already done so in order to authenticate you originally at kinit time, and the fact that you have a TGT shows that it was successful.
If you want to pursue this question further, please do so on a Kerberos support mailing list; it has nothing to do with SASL or LDAP.