Hi, all:
In using ldapsearch to bind to a server with IPv6 address, some error pops up: =========================================================== qxu@durian(pts/3):/etc[133]$ kinit XCTEST100@XCIPV6.COM Password for XCTEST100@XCIPV6.COM:
qxu@durian(pts/3):/etc[134]$ klist Ticket cache: FILE:/tmp/krb5cc_20153 Default principal: XCTEST100@XCIPV6.COM
Valid starting Expires Service principal 06/09/09 17:35:18 06/10/09 03:34:41 krbtgt/XCIPV6.COM@XCIPV6.COM renew until 06/10/09 17:35:18
qxu@durian(pts/3):/etc[135]$ ldapsearch -Y GSSAPI -H 'ldap://3ffe:2000:0:1:e0be:1872:d4f8:6b2c' -b 'dc=xcipv6,dc=com' -s sub -LLL 'cn=XCTEST100' mail Could not create LDAP session handle for URI=ldap://3ffe:2000:0:1:e0be:1872:d4f8:6b2c (-9): Bad parameter to an ldap routine
qxu@durian(pts/3):/etc[136]$ ldapsearch -Y GSSAPI -H 'ldap://[3ffe:2000:0:1:e0be:1872:d4f8:6b2c]' -b 'dc=xcipv6,dc=com' -s sub -LLL 'cn=XCTEST100' mail SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) =========================================================== Shall I add the brackets [] around the IPv6 address? DNS server has been correctly set up, because sasl binding over IPv4 address is good.
Any possible reason for the failure of ldapsearch?
Thanks, Xu Qiang
Xu, Qiang (FXSGSC) wrote:
Hi, all:
In using ldapsearch to bind to a server with IPv6 address, some error pops up:
qxu@durian(pts/3):/etc[133]$ kinit XCTEST100@XCIPV6.COM Password for XCTEST100@XCIPV6.COM:
qxu@durian(pts/3):/etc[134]$ klist Ticket cache: FILE:/tmp/krb5cc_20153 Default principal: XCTEST100@XCIPV6.COM
Valid starting Expires Service principal 06/09/09 17:35:18 06/10/09 03:34:41 krbtgt/XCIPV6.COM@XCIPV6.COM renew until 06/10/09 17:35:18
qxu@durian(pts/3):/etc[135]$ ldapsearch -Y GSSAPI -H 'ldap://3ffe:2000:0:1:e0be:1872:d4f8:6b2c' -b 'dc=xcipv6,dc=com' -s sub -LLL 'cn=XCTEST100' mail Could not create LDAP session handle for URI=ldap://3ffe:2000:0:1:e0be:1872:d4f8:6b2c (-9): Bad parameter to an ldap routine
qxu@durian(pts/3):/etc[136]$ ldapsearch -Y GSSAPI -H 'ldap://[3ffe:2000:0:1:e0be:1872:d4f8:6b2c]' -b 'dc=xcipv6,dc=com' -s sub -LLL 'cn=XCTEST100' mail SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) =========================================================== Shall I add the brackets [] around the IPv6 address?
Yes, that is required for IPv6 addresses in URLs.
DNS server has been correctly set up, because sasl binding over IPv4 address is good.
Any possible reason for the failure of ldapsearch?
ldapsearch didn't fail, the GSSAPI/Kerberos library did. It was unable to match the provided IP address to the name of a Kerberos server principal. In general, Kerberos requires valid hostnames, it doesn't work well with numeric addresses.
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Friday, June 12, 2009 1:28 PM To: Xu, Qiang (FXSGSC) Cc: openldap-technical@openldap.org Subject: Re: SASL LDAP binding over IPv6
Yes, that is required for IPv6 addresses in URLs.
Thanks, Howard. Just off-topic for a shot while, does this mean that when I am doing SASL binding over IPv6 address, it also must be surrounded by brackets?
ldapsearch didn't fail, the GSSAPI/Kerberos library did. It was unable to match the provided IP address to the name of a Kerberos server principal. In general, Kerberos requires valid hostnames, it doesn't work well with numeric addresses.
But it can work well with numeric IPv6 addresses in simple binding. And when working with IPv4 addresss, SASL binding is also successful, coz it will initiate a reverse nslookup to find out FQDN of the LDAP server. So, why it can't deal with numeric addresses in IPv6? Kind of strange.
Is it possible that in the server, there isn't SPN for IPv6 address, but only IPv4?
Thanks a lot, Xu Qiang
Xu, Qiang (FXSGSC) wrote:
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Friday, June 12, 2009 1:28 PM To: Xu, Qiang (FXSGSC) Cc: openldap-technical@openldap.org Subject: Re: SASL LDAP binding over IPv6
Yes, that is required for IPv6 addresses in URLs.
Thanks, Howard. Just off-topic for a shot while, does this mean that when I am doing SASL binding over IPv6 address, it also must be surrounded by brackets?
ldapsearch didn't fail, the GSSAPI/Kerberos library did. It was unable to match the provided IP address to the name of a Kerberos server principal. In general, Kerberos requires valid hostnames, it doesn't work well with numeric addresses.
But it can work well with numeric IPv6 addresses in simple binding. And when working with IPv4 addresss, SASL binding is also successful, coz it will initiate a reverse nslookup to find out FQDN of the LDAP server. So, why it can't deal with numeric addresses in IPv6? Kind of strange.
Is it possible that in the server, there isn't SPN for IPv6 address, but only IPv4?
That's a question for your Kerberos admin to answer.
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Friday, June 12, 2009 1:42 PM To: Xu, Qiang (FXSGSC) Cc: openldap-technical@openldap.org Subject: Re: SASL LDAP binding over IPv6
Xu, Qiang (FXSGSC) wrote:
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Friday, June 12, 2009 1:28 PM To: Xu, Qiang (FXSGSC) Cc: openldap-technical@openldap.org Subject: Re: SASL LDAP binding over IPv6
Is it possible that in the server, there isn't SPN for IPv6
address, but only IPv4?
That's a question for your Kerberos admin to answer.
On second thoughts, Service Principal Name should only correspond to hostname, not numerical address, be it IPv4 or IPv6, right? And since ldapsearch works well with SASL over IPv4 address, the SPN should exist, right?
I am lost here...
By the way, if I am using Mozilla LDAP C SDK to implement SASL binding, should I also bracket the IPv6 address, which will be passed to prldap_init()? I know it is a little off-topic here, but...
Hope you can help me further, Xu Qiang
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Friday, June 12, 2009 1:28 PM To: Xu, Qiang (FXSGSC) Cc: openldap-technical@openldap.org Subject: Re: SASL LDAP binding over IPv6
Yes, that is required for IPv6 addresses in URLs.
Thanks, Howard. Just off-topic for a shot while, does this mean that when I am doing SASL binding over IPv6 address with MozLDAP, it also must be surrounded by brackets? In the implementation, I've got to pass the hostname or IPv6 address to the init function prldap_init(), I'm not sure whether I also need to bracet the address.
ldapsearch didn't fail, the GSSAPI/Kerberos library did. It was unable to match the provided IP address to the name of a Kerberos server principal. In general, Kerberos requires valid hostnames, it doesn't work well with numeric addresses.
But it can work well with numeric IPv6 addresses in simple binding. And when working with IPv4 addresss, SASL binding is also successful, coz it will initiate a reverse nslookup to find out FQDN of the LDAP server. So, why it can't deal with numeric addresses in IPv6? Kind of strange.
Is it possible that in the server, there isn't SPN for IPv6 address, but only IPv4?
Thanks a lot, Xu Qiang
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Friday, June 12, 2009 1:28 PM To: Xu, Qiang (FXSGSC) Cc: openldap-technical@openldap.org Subject: Re: SASL LDAP binding over IPv6
ldapsearch didn't fail, the GSSAPI/Kerberos library did. It was unable to match the provided IP address to the name of a Kerberos server principal. In general, Kerberos requires valid hostnames, it doesn't work well with numeric addresses.
My apology (for the private inquiry) first, Howard.
Can I say that in case of IPv4 address, it is optional that whether we pass hostname to ldapsearch command. And in case of IPv6 address, the hostname is a prerequisite. Even we know in advance the IPv6 address of the server, we can't pass it directly to ldapsearch command?
Thanks, Xu Qiang
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Friday, June 12, 2009 1:28 PM To: Xu, Qiang (FXSGSC) Cc: openldap-technical@openldap.org Subject: Re: SASL LDAP binding over IPv6
ldapsearch didn't fail, the GSSAPI/Kerberos library did. It was unable to match the provided IP address to the name of a Kerberos server principal. In general, Kerberos requires valid hostnames, it doesn't work well with numeric addresses.
Just to let you guys know that Howard is correct. In dealing with IPv6 address, we must provide hostname to ldapsearch command. The numeric address doesn't work. In contrast, if the server only has IPv4 address, then providng hostname is optional, i.e. we can also supply IPv4 address directly to ldapsearch command.
So, generally, when we don't know which one of the two addresses (IPv6 and IPv4) the server is prioritized upon, we had better always provide hostname to ldapsearch command, when doing SASL bindings.
Thanks heartedly, Howard! Xu Qiang
Xu, Qiang (FXSGSC) wrote:
Just to let you guys know that Howard is correct. In dealing with IPv6 address, we must provide hostname to ldapsearch command. The numeric address doesn't work. In contrast, if the server only has IPv4 address, then providng hostname is optional, i.e. we can also supply IPv4 address directly to ldapsearch command.
So, generally, when we don't know which one of the two addresses (IPv6 and IPv4) the server is prioritized upon, we had better always provide hostname to ldapsearch command, when doing SASL bindings.
Even with IPv4 addresses I had some issues when using SASL bind to MS AD (with OpenLDAP's ldapsearch tool). And this not only with GSSAPI mech. Also AD is picky with DIGEST-MD5.
So in general: If you have any issues with SASL bind and MS AD examine your DNS and the attribute servicePrincipalName of the used service account and fix related DNS RRs if needed.
Ciao, Michael.
-----Original Message----- From: Michael Ströder [mailto:michael@stroeder.com] Sent: Friday, June 12, 2009 7:10 PM To: Xu, Qiang (FXSGSC) Cc: openldap-technical@openldap.org Subject: Re: SASL LDAP binding over IPv6
So in general: If you have any issues with SASL bind and MS AD examine your DNS and the attribute servicePrincipalName of the used service account and fix related DNS RRs if needed.
Got it, Michael!
Thanks, Xu Qiang
Hi, all:
With OpenLDAP utility "ldapsearch", I can do SASL binding over IPv6 protocol, provided that the both the client and the servers (Kerberos server and LDAP server) have global IPv6 addresses.
I want to know if there is any commands that can maximize the output to stderr, so that I can observe who is responsible in finding the Kerberos server whose hostname is resolved to IPv6 address by DNS.
Thanks, Xu Qiang
Xu, Qiang (FXSGSC) wrote:
Hi, all:
With OpenLDAP utility "ldapsearch", I can do SASL binding over IPv6
protocol, provided that the both the client and the servers (Kerberos server and LDAP server) have global IPv6 addresses.
I want to know if there is any commands that can maximize the output to
stderr, so that I can observe who is responsible in finding the Kerberos server whose hostname is resolved to IPv6 address by DNS.
Have you read the ldapsearch(1) manpage? Have you already tried the "-d" debug option?
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Friday, August 07, 2009 1:15 PM To: Xu, Qiang (FXSGSC) Cc: openldap-technical@openldap.org Subject: Re: Finding Kerberos server from IPv6 address in SASL binding
Have you read the ldapsearch(1) manpage? Have you already tried the "-d" debug option?
Blushed... Just read the manpage carefully, and use the option "-d -1" (ldap_log.h shows -1 means LDAP_DEBUG_ANY). I got screens of output, around 1000 lines.
However, from the output, I still can't figure out who in the process locate the Kerberos server (resolved by DNS to IPv6 address) and sent out TGS-REQ. Could you shed some light on it?
Thanks, Xu Qiang
Xu, Qiang (FXSGSC) wrote:
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Friday, August 07, 2009 1:15 PM To: Xu, Qiang (FXSGSC) Cc: openldap-technical@openldap.org Subject: Re: Finding Kerberos server from IPv6 address in SASL binding
Have you read the ldapsearch(1) manpage? Have you already tried the "-d" debug option?
Blushed... Just read the manpage carefully, and use the option "-d -1"
(ldap_log.h shows -1 means LDAP_DEBUG_ANY). I got screens of output, around 1000 lines.
However, from the output, I still can't figure out who in the process locate
the Kerberos server (resolved by DNS to IPv6 address) and sent out TGS-REQ. Could you shed some light on it?
What OS are you running on, and what version of OpenLDAP are you using?
I suppose you could run ldapsearch -d -1 under strace, which ought to make it clear what the full sequence of events is.
By default, on an OS that supports IPv6, libldap will use getnameinfo() to do the reverse lookup from the address. If your system's resolver is configured correctly, and your DNS is configured correctly, then this should return the canonical hostname corresponding to the IP address. The result of this call is used in the sasl_client_new() function as the name of the remote host, and so will be passed on to the GSSAPI plugin.
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Friday, August 07, 2009 2:21 PM To: Xu, Qiang (FXSGSC) Cc: openldap-technical@openldap.org Subject: Re: Finding Kerberos server from IPv6 address in SASL binding
What OS are you running on, and what version of OpenLDAP are you using?
"Linux durian 2.6.18-128.1.6.el5.centos.plus #1 SMP Thu Apr 2 12:53:36 EDT 2009 i686 i686 i386 GNU/Linux" is the output of "uname -a".
I suppose you could run ldapsearch -d -1 under strace, which ought to make it clear what the full sequence of events is.
Yes, this is exactly what I did (ldapsearch -d -1 ...), but I failed to find where and when the Kerberos server is contacted. I do find a lot of LDAP sequencies. :-(
By default, on an OS that supports IPv6, libldap will use getnameinfo() to do the reverse lookup from the address. If your system's resolver is configured correctly, and your DNS is configured correctly, then this should return the canonical hostname corresponding to the IP address. The result of this call is used in the sasl_client_new() function as the name of the remote host, and so will be passed on to the GSSAPI plugin.
Here, your "canonical name" means the server's FQDN? So, you mean sasl_client_new() is the API to find the server and send out the request TGS-REQ?
Thanks, Xu Qiang
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Friday, August 07, 2009 2:21 PM To: Xu, Qiang (FXSGSC) Cc: openldap-technical@openldap.org Subject: Re: Finding Kerberos server from IPv6 address in SASL binding
By default, on an OS that supports IPv6, libldap will use getnameinfo() to do the reverse lookup from the address. If your system's resolver is configured correctly, and your DNS is configured correctly, then this should return the canonical hostname corresponding to the IP address. The result of this call is used in the sasl_client_new() function as the name of the remote host, and so will be passed on to the GSSAPI plugin.
By the way, sasl_client_new() connects to the Kerberos server, or the LDAP server? I suppose it is the former, isn't it?
Thanks, Xu Qiang
Xu, Qiang (FXSGSC) wrote:
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Friday, August 07, 2009 2:21 PM To: Xu, Qiang (FXSGSC) Cc: openldap-technical@openldap.org Subject: Re: Finding Kerberos server from IPv6 address in SASL binding
By default, on an OS that supports IPv6, libldap will use getnameinfo() to do the reverse lookup from the address. If your system's resolver is configured correctly, and your DNS is configured correctly, then this should return the canonical hostname corresponding to the IP address. The result of this call is used in the sasl_client_new() function as the name of the remote host, and so will be passed on to the GSSAPI plugin.
By the way, sasl_client_new() connects to the Kerberos server, or the LDAP
server? I suppose it is the former, isn't it?
Your use of terminology here is unclear. The subject implies that you're asking about the IP address of the Kerberized server, i.e., the server that will use a service ticket from a client to authenticate the client. This is obviously the same machine as the LDAP server, since it is in fact that LDAP server you're trying to authenticate to.
If you're actually talking about the Kerberos KDC, which hands out tickets to clients, its address obviously has nothing to do with any IPv6 address that OpenLDAP passed to SASL.
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Friday, August 07, 2009 4:05 PM To: Xu, Qiang (FXSGSC) Cc: openldap-technical@openldap.org Subject: Re: Finding Kerberos server from IPv6 address in SASL binding
Your use of terminology here is unclear. The subject implies that you're asking about the IP address of the Kerberized server, i.e., the server that will use a service ticket from a client to authenticate the client. This is obviously the same machine as the LDAP server, since it is in fact that LDAP server you're trying to authenticate to.
If you're actually talking about the Kerberos KDC, which hands out tickets to clients, its address obviously has nothing to do with any IPv6 address that OpenLDAP passed to SASL.
Thank you, Howard.
I have posted the problem to Kerberos mail list, hoping to get some help.
Best wishes, Xu Qiang
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Friday, August 07, 2009 2:21 PM To: Xu, Qiang (FXSGSC) Cc: openldap-technical@openldap.org Subject: Re: Finding Kerberos server from IPv6 address in SASL binding
I suppose you could run ldapsearch -d -1 under strace, which ought to make it clear what the full sequence of events is.
By default, on an OS that supports IPv6, libldap will use getnameinfo() to do the reverse lookup from the address. If your system's resolver is configured correctly, and your DNS is configured correctly, then this should return the canonical hostname corresponding to the IP address. The result of this call is used in the sasl_client_new() function as the name of the remote host, and so will be passed on to the GSSAPI plugin.
It seems sasl_client_new() is connecting to the LDAP server, not Kerberos server. I want to know that how the Kerberos server comes into play. Does OpenLDAP pass anything to Cyrus SASL library to let it know where the Kerberos server lies?
Thanks, Xu Qiang
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Friday, August 07, 2009 2:21 PM To: Xu, Qiang (FXSGSC) Cc: openldap-technical@openldap.org Subject: Re: Finding Kerberos server from IPv6 address in SASL binding
By default, on an OS that supports IPv6, libldap will use getnameinfo() to do the reverse lookup from the address. If your system's resolver is configured correctly, and your DNS is configured correctly, then this should return the canonical hostname corresponding to the IP address. The result of this call is used in the sasl_client_new() function as the name of the remote host, and so will be passed on to the GSSAPI plugin.
After kinit, there is a Kerberos TGT: =================================================== qxu@durian(pts/2):/usr/lib[115]$ klist Ticket cache: FILE:/tmp/krb5cc_20153 Default principal: XCTEST100@XCIPV6.COM
Valid starting Expires Service principal 08/07/09 13:19:18 08/07/09 23:20:45 krbtgt/XCIPV6.COM@XCIPV6.COM renew until 08/08/09 13:19:18 08/07/09 13:22:00 08/07/09 23:20:45 ldap/crius.xcipv6.com@XCIPV6.COM renew until 08/08/09 13:19:18
Kerberos 4 ticket cache: /tmp/tkt20153 klist: You have no tickets cached =================================================== Since it seems OpenLDAP didn't pass any info related to Kerberos authentication server to Cyrus-SASL, can I understand that Cyrus-SASL obtain the Kerberos authentication server's whereabout from the ticket? But there is only an LDAP server's service principle in the ticket (ldap/crius.xcipv6.com@XCIPV6.COM). It doesn't reveal the authentication server's address or hostname, does it?
Hope you can clarify the issue, Howard! Xu Qiang
Xu, Qiang (FXSGSC) wrote:
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Friday, August 07, 2009 2:21 PM To: Xu, Qiang (FXSGSC) Cc: openldap-technical@openldap.org Subject: Re: Finding Kerberos server from IPv6 address in SASL binding
By default, on an OS that supports IPv6, libldap will use getnameinfo() to do the reverse lookup from the address. If your system's resolver is configured correctly, and your DNS is configured correctly, then this should return the canonical hostname corresponding to the IP address. The result of this call is used in the sasl_client_new() function as the name of the remote host, and so will be passed on to the GSSAPI plugin.
After kinit, there is a Kerberos TGT:
qxu@durian(pts/2):/usr/lib[115]$ klist Ticket cache: FILE:/tmp/krb5cc_20153 Default principal: XCTEST100@XCIPV6.COM
Valid starting Expires Service principal 08/07/09 13:19:18 08/07/09 23:20:45 krbtgt/XCIPV6.COM@XCIPV6.COM renew until 08/08/09 13:19:18 08/07/09 13:22:00 08/07/09 23:20:45 ldap/crius.xcipv6.com@XCIPV6.COM renew until 08/08/09 13:19:18
Kerberos 4 ticket cache: /tmp/tkt20153 klist: You have no tickets cached =================================================== Since it seems OpenLDAP didn't pass any info related to Kerberos
authentication server to Cyrus-SASL, can I understand that Cyrus-SASL obtain the Kerberos authentication server's whereabout from the ticket? But there is only an LDAP server's service principle in the ticket (ldap/crius.xcipv6.com@XCIPV6.COM). It doesn't reveal the authentication server's address or hostname, does it?
Hope you can clarify the issue, Howard!
This is why we tell people "make sure you have Kerberos working on its own before trying to integrate with LDAP" - you're expected to already understand how Kerberos works. You're expected to have gained this understanding by working through getting a Kerberos setup off the ground...
How a Kerberized client finds the relevant KDC is purely a Kerberos issue, and it's outside the scope of these mailing lists. Suffice to say, when you have Kerberos configured correctly on your machine, the Kerberos library will find the right KDC. It obviously has already done so in order to authenticate you originally at kinit time, and the fact that you have a TGT shows that it was successful.
If you want to pursue this question further, please do so on a Kerberos support mailing list; it has nothing to do with SASL or LDAP.
openldap-technical@openldap.org
-
Howard Chu -
Michael Ströder -
Xu, Qiang (FXSGSC)