-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Friday, August 07, 2009 2:21 PM To: Xu, Qiang (FXSGSC) Cc: openldap-technical@openldap.org Subject: Re: Finding Kerberos server from IPv6 address in SASL binding
By default, on an OS that supports IPv6, libldap will use getnameinfo() to do the reverse lookup from the address. If your system's resolver is configured correctly, and your DNS is configured correctly, then this should return the canonical hostname corresponding to the IP address. The result of this call is used in the sasl_client_new() function as the name of the remote host, and so will be passed on to the GSSAPI plugin.
After kinit, there is a Kerberos TGT: =================================================== qxu@durian(pts/2):/usr/lib[115]$ klist Ticket cache: FILE:/tmp/krb5cc_20153 Default principal: XCTEST100@XCIPV6.COM
Valid starting Expires Service principal 08/07/09 13:19:18 08/07/09 23:20:45 krbtgt/XCIPV6.COM@XCIPV6.COM renew until 08/08/09 13:19:18 08/07/09 13:22:00 08/07/09 23:20:45 ldap/crius.xcipv6.com@XCIPV6.COM renew until 08/08/09 13:19:18
Kerberos 4 ticket cache: /tmp/tkt20153 klist: You have no tickets cached =================================================== Since it seems OpenLDAP didn't pass any info related to Kerberos authentication server to Cyrus-SASL, can I understand that Cyrus-SASL obtain the Kerberos authentication server's whereabout from the ticket? But there is only an LDAP server's service principle in the ticket (ldap/crius.xcipv6.com@XCIPV6.COM). It doesn't reveal the authentication server's address or hostname, does it?
Hope you can clarify the issue, Howard! Xu Qiang