RE: SASL authentication

[Xu, Qiang (FXSGSC)]

> -----Original Message-----
> From: 
> dev-tech-ldap-bounces+qiang.xu=fujixerox....@lists.mozilla.org
>  
> [mailto:dev-tech-ldap-bounces+qiang.xu=fujixerox....@lists.moz
> illa.org] On Behalf Of Xu, Qiang (FXSGSC)
> Sent: Monday, June 08, 2009 3:29 PM
> To: dev-tech-ldap@lists.mozilla.org
> Subject: RE: SASL authentication
> 
> Hi, all: 
> 
> Overall, my implementation of SASL binding is OK, but it 
> doesn't work in dealing with IPv6:
> ====================================================================
> <apManager> (Thu Jun 04 2009 15:04:32.847) 
> <p3593,t824878304,aba_ldap_interface.c,1470>
>      INFO>> primary server IP address is 
> 2001:4898:e0:f04b:21f:29ff:fee2:b390
> ......
> <apManager> (Thu Jun 04 2009 15:04:32.851) 
> <p3593,t824878304,aba_ldap_interface.c,1717>
>      INFO>> SASL Login
> <apManager> (Thu Jun 04 2009 15:04:32.852) 
> <p3593,t824878304,aba_ldap_interface.c,1833>
>      INFO>> SASL LDAP BIND with GSSAPI: Value of ldapStatus 91 
> <apManager> (Thu Jun 04 2009 15:04:32.852) 
> <p3593,t824878304,aba_ldap_interface.c,1840>
>     ERROR>> LDAP BIND: Value of ldap failure status and text 
> 91 Can't connect to the LDAP server 
> ====================================================================

Just to let you guys know I have found the cause of the failure.

Previously, we have hit a problem when doing SASL bindings over hostnames. For 
large organizations, one hostname may be associated with many IP addresses, 
many of which server as backup servers for the main one. 

Suppose we configure the LDAP server to use hostname, then during SASL binding, 
at least two forward DNS queries (to get IP address from hostname) will be 
performed. The first one is to get the IP address of the LDAP server so that we 
know the destination of our LDAP request, while the second one is to be 
immediately followed by a reverse lookup to find the FQDN of the server, which 
will be used to determine Kerberos TGT. In the process, if these two rounds of 
forward DNS queries get different IP addresses, then we may run into a 
situation that we are using the ticket from one host to contact another. 

It's a serious problem. And we don't have much control in it, coz the two DNS 
queries happen in low level libraries, such as Mozilla LDAP, Cyrus SASL and 
possibly GSSAPI. 

Fortunately, we also found that if the LDAP server is configured to use IP 
address, the problem doesn't occur (Of couse, since the problem arises from two 
inconsistent forward DNS query results). Based on this, the solution is that we 
don't pass down the hostname directly to prldap_init(). Instead, we do a DNS 
query to get the server's IP address first and then pass this acquired address 
to prldap_init(). 

The code is like this: 
=====================================================================
/* convert primary server hostname to IP address */
  if (is_it_an_IP_address(primaryServerHost) == FALSE)
  {
        strncpy(primaryIP, primaryServerHost, PRIMARY_HOSTNAME);
        if (get_ip_from_hostname(primaryServerHost, primaryIP))
            {
                    LOGINFO("primary server IP address is %s", primaryIP);
            }
            else
            {
                   LOGERROR("get_ip_from_hostname() failed for primary server, 
still using hostname!");
                   strncpy(primaryIP, primaryServerHost, PRIMARY_HOSTNAME);
            }
  }
  else
  {
            LOGINFO("primary server is already in IP address form");
            strncpy(primaryIP, primaryServerHost, PRIMARY_HOSTNAME);
  }

...

  if ((ldapHandle = prldap_init(primaryIP, primaryServerPort, 1)) == NULL)
  {
      LOGERROR("Failed to do prldap_init for Primary Server...");
      return(ABA_LDAP_INIT_CALL_FAILED);
  }
  else
  {
      LOGINFO("prldap_init SUCCESSFUL to [%s:%d]", primaryIP, 
primaryServerPort);
  }

...

    ldapStatus = ldap_sasl_interactive_bind_ext_s(ldapHandle, "", sasl_mech,
                                                                        NULL, 
NULL, sasl_flags,
                                                                            
example_sasl_interact, NULL, &responseControls);
=====================================================================
It works for IPv4 address. But it doesn't in dealing with IPv6 address.

After removing the above code converting hostname to ipaddress (core of which 
is get_ip_from_hostname()), it works for IPv6 server now! So happy...

On second thoughts, the convert code can't be removed so easily, coz we still 
face the problem of inconsistent forward DNS query results. The solution I can 
think of is to create some flag, and when the flag is on, do the conversion 
from hostname to IP address. When it is off, we just directly pass hostname 
down to prldap_init().

Last but not least, I must thank Rich for his direct help all along. And 
although Howard is not in this list, I still need to thank him for he reminded 
me that in dealing with IPv6, we'd better stick to hostname.

Regards,
Xu Qiang
_______________________________________________
dev-tech-ldap mailing list
dev-tech-ldap@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-ldap