Re: open ldap with SASL & GSSAPI

[Donn Cave <donn@u.washington.edu>]

On Nov 8, 2006, at 8:51 PM, Maxwell Bottiger wrote:

> On Wed, 2006-11-08 at 18:28 -0800, Howard Chu wrote:
>
> snip
>
> > MIT Kerberos is known to work very poorly with OpenLDAP slapd.  
> > Heimdal
> > is known to work well. On the client side, either one will work, but
> > generally I would recommend using Heimdal.
>
> I have heard that through other sources as well.  I'm really just  
> using
> MIT kerberos because it shipped with my distro.  Can I move the  
> kerberos
> database directly to Hemidal in the future?

Don't do that just for this.  I don't know for sure that it
isn't possible, but if you just want to satisfy this particular
need for Heimdal, just build OpenLDAP slapd with Heimdal --
the Heimdal slapd will work fine with an MIT KDC, and MIT
LDAP clients like for example the ldapsearch on MacOS X.

On the other hand, we use MIT Kerberos with slapd.  I have
observed reduced authentication speed, compared to SSL, but
as I understand it that comes from replay cache functionality
in the MIT server that serves an arguably desirable purpose.
With current Cyrus SASL, I don't see any serious problem with
MIT Kerberos, but if you're expecting an extremely heavy load
of GSSAPI authentication and are willing to dispense with the
replay cache checks, your perspective might be different.

> > SASL-enabled servers don't talk to saslauthd to perform GSSAPI
> > authentication, so that is out of the equation.
>
> That's very interesting.  If openldap and other sasl enabled services
> don't need saslauthd, what does use it?  Just curious.  Maybe it's
> something I can turn off.

Maybe!  But note that he said "... to perform GSSAPI authentication".
That was true, and your paraphrase is clearly false.

	Donn Cave, donn@u.washington.edu