[Pkg-openldap-devel] Bug#696207: ldapsearch sets Kerberos principle incorrectly over IPv6
Brian May
brian at microcomaustralia.com.au
Tue Dec 18 04:15:03 UTC 2012
Package: ldap-utils
Version: 2.4.31-1
When /etc/hosts contains only the IPv4 address of the server, everything
works.
root at tyla:~# ldapsearch -Y GSSAPI -R AD.VPAC.ORG -b dc=ad,dc=vpac,dc=org
uid=aspiers -H ldap://sys11.ad.vpac.org/ -A > /dev/null
SASL/GSSAPI authentication started
SASL username: administrator at AD.VPAC.ORG
SASL SSF: 56
SASL data security layer installed.
If ldapsearch uses IPv6, then things don't work.
With libsasl2-modules-gssapi-mit installed.
root at tyla:~# ldapsearch -Y GSSAPI -R AD.VPAC.ORG -b dc=ad,dc=vpac,dc=org
uid=aspiers -H ldap://sys11.ad.vpac.org/ -A
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information (Cannot
determine realm for numeric host address)
With libsasl2-modules-gssapi-heimdal installed.
root at tyla:~# ldapsearch -Y GSSAPI -R AD.VPAC.ORG -b dc=ad,dc=vpac,dc=org
uid=aspiers -H ldap://sys11.ad.vpac.org/ -A
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error:
Miscellaneous failure (see text) (Matching credential (ldap/
2001:388:60ac:10d:214:85ff:fef6:8a5 at AD.VPAC.ORG) not found)
It should not be trying to use ldap/
2001:388:60ac:10d:214:85ff:fef6:8a5 at AD.VPAC.ORG, it should use the name I
specified on the command line, i.e. ldap/sys11.ad.vpac.org at AD.VPAC.ORG
--
Brian May <brian at microcomaustralia.com.au>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20121218/3b13527b/attachment.html>
More information about the Pkg-openldap-devel
mailing list