IPv6 Kerberos server address handling in SASL2 GSSAPI plugin
alexey.melnikov at isode.com
Thu Aug 6 04:27:27 EDT 2009
Xu, Qiang (FXSGSC) wrote:
>In my testing of SASL LDAP binding, I found the GSSAPI plugin library (/usr/lib/sasl2/libgssapiv2.so) will go mad if an IPv6 address of Kerberos authentication server is passed to it. It just can't recognize the IPv6 address, and would take it as a hostname.
>For example, the IPv6 address of the Kerberos server is "3ffe:2000:0:1:e0be:1872:d4f8:6b2c", and the authentication domain is "xcipv6.com". When GSSAPI plugin receives this IPv6 address, it would think the address is in a form of "hostname:port", so would split the address at the first colon, and combine it with the domain name, to form an FQDN "3ffe.xcipv6.com". Then it would try to resolve this FQDN to get the IP address (v4?). Of course, the resolving would lead to an error. And SASL binding can't go through.
I believe this is happening inside MIT Kerberos V5 library, so you need
to talk to MIT.
>When I configure the printer to use IPv4 address of the Kerberos server, SASL LDAP binding works well.
>Anybody has seen this problem before? Any potential solution?
More information about the Cyrus-sasl