[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: errant SASL/GSSAPI setup?

To: Andreas Hasenack <ahasenack@terra.com.br>, openldap-software@OpenLDAP.org
Subject: Re: errant SASL/GSSAPI setup?
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Fri, 01 Sep 2006 07:42:58 -0700
Content-disposition: inline
In-reply-to: <20060901124506.GC3550@mandriva.com>
References: <20060831204134.2D79CD000219@mwinf7001.orange.net> <2BC57B9BC8697D3A288A8A7D@SW-90-717-287-3.stanford.edu> <20060901124506.GC3550@mandriva.com>

--On Friday, September 01, 2006 9:45 AM -0300 Andreas Hasenack <ahasenack@terra.com.br> wrote:

On Thu, Aug 31, 2006 at 02:59:10PM -0700, Quanah Gibson-Mount wrote:

Yep, MIT Kerberos is exactly what I was beginning to expect as well,
which  is why I asked about the Kerberos libraries being used.  That's
what it  looks like is being used from Allan's libraries he provided as
wel.

As mentioned on this list numerous times, do *not* use MIT kerberos with
OpenLDAP.  Bad things happen.  Use Heimdal Kerberos.


I'm sorry, but this is harsh. I have used mit kerberos for years with
openldap and it works just fine for me. Also, consider that heimdal
development seems stalled and mit's is thriving, and that no current
linux distro ships it by default anymore. I even sent some trivial
patches to the heimdal list and got absolutely no response.  Sometimes I
even wonder if I'm still subscribed, given the super low traffic.

I guess that depends on your definition of "works". Any time I've tested OpenLDAP slapd compiled against MIT Kerberos instead of Heimdal, it has been at *least* 4 times slower, and has a very high rate of failed connections under load. Now understand, Stanford *is* an MIT Kerberos shop. We use it for just about everything from the KDC down. But quite frankly, if you want a stable, reliable, fast OpenLDAP server, you simply don't link it against MIT Kerberos at this time.

I also work directly with the MIT Kerberos developers in this testing, and they have worked hard to improve how their implementation works. In fact, one of my co-workers is one of the MIT Kerberos developers. ;)

Intersetingly enough, this revelation about the broken behavior in MIT Kerberos and SASL/GSSAPI actually explains some problems we've seen in our applications using MIT Kerberos. I filed a bug on this with the MIT Kerberos folks, and they are looking at how they want to solve it.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

Follow-Ups:
- Re: errant SASL/GSSAPI setup?
  - From: Donn Cave <donn@u.washington.edu>

References:
- Re: errant SASL/GSSAPI setup?
  - From: Andreas Hasenack <ahasenack@terra.com.br>

Prev by Date: Re: errant SASL/GSSAPI setup?
Next by Date: Re: SASL/GSSAPI error upgrade
Index(es):
- Chronological
- Thread