[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: errant SASL/GSSAPI setup?

To: openldap-software@OpenLDAP.org
Subject: Re: errant SASL/GSSAPI setup?
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Fri, 01 Sep 2006 09:43:52 -0700
Cc: Donn Cave <donn@u.washington.edu>
Content-disposition: inline
In-reply-to: <2F13E0E3-A2B9-42B1-A782-7B1453AB11B3@u.washington.edu>
References: <20060831204134.2D79CD000219@mwinf7001.orange.net> <2BC57B9BC8697D3A288A8A7D@SW-90-717-287-3.stanford.edu> <20060901124506.GC3550@mandriva.com> <744A25EB9086BD3605D9C80B@SW-90-717-287-3.stanford.edu> <2F13E0E3-A2B9-42B1-A782-7B1453AB11B3@u.washington.edu>

--On Friday, September 01, 2006 9:20 AM -0700 Donn Cave <donn@u.washington.edu> wrote:

On Sep 1, 2006, at 7:42 AM, Quanah Gibson-Mount wrote:

...

I guess that depends on your definition of "works".  Any time I've
tested OpenLDAP slapd compiled against MIT Kerberos instead of
Heimdal, it has been at *least* 4 times slower, and has a very high
rate of failed connections under load.  Now understand, Stanford
*is* an MIT Kerberos shop.  We use it for just about everything
from the KDC down.  But quite frankly, if you want a stable,
reliable, fast OpenLDAP server, you simply don't link it against
MIT Kerberos at this time.


Do you mean, reliable & fast _under a significant GSS authentication
load_?


Yes, using SASL/GSSAPI as your main authentication choice.

Above you appear to say that our server, linked with MIT Kerberos,  simply
can't be fast and reliable.  I have tried both ways - with Heimdal, with
MIT - and Heimdal wasn't nearly worth the trouble for us.  But we don't
expect that much GSS authentication in the foreseeable future,  because we
have no user-level applications for authenticated directory service.   MIT
GSSAPI gives us the ability to respond to occasional demand that may
arise,
without much support burden (and with replay cache), and merely linking
against it certainly does not compromise slapd at all.

Yeah, the replay cache is actually one of the first things the MIT folks have me disable during testing, because it was the cause of even worse performance slowdowns and some instability when it was enabled with GSS. ;)

Of course it would be foolish to discount your experience, but I agree
with Andreas when it comes to what you're saying, as opposed to what
I suppose you mean.

Yes, thanks for helping clarify. If you ever do move to a more GSS-enabled environment, hopefully MIT will be more stable at that time. ;) It is in my to-do list to grab version 1.5 and do some more testing with it, but I've been trying to clear out my must-do-before-students-get-here list... ;)

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

References:
- Re: errant SASL/GSSAPI setup?
  - From: Andreas Hasenack <ahasenack@terra.com.br>
- Re: errant SASL/GSSAPI setup?
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: errant SASL/GSSAPI setup?
  - From: Donn Cave <donn@u.washington.edu>

Prev by Date: Re: errant SASL/GSSAPI setup?
Next by Date: Re: ldap_sasl_interactive_bind_s: Confidentiality required (13)
Index(es):
- Chronological
- Thread