Re: Openldap crashes on GSSAPI authentication

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Friday, February 21, 2003 11:30 AM -0500 Stephen Frost 
<sfrost@snowman.net> wrote:

> * Quanah Gibson-Mount (quanah@stanford.edu) wrote:
> > --On Friday, February 21, 2003 10:09 AM -0500 Stephen Frost
> > <sfrost@snowman.net> wrote:
> > > Havn't had any problems here so far, though I havn't hit the ldap
> > > server very hard.
> >
> > I have, and I guarantee you that the MIT libraries are not thread safe.
> > Heimdal-0.5.1 is not thread safe, either.  You need to get a version of
> > Heimdal later than 0.5.1 (via CVS), and compile that.  There is also one
> > small patch you need to apply to the CVS code, unless you are compiling
> > on  AIX:
>
> Hrm, well, that's unfortunate.  I wonder if it might be possible to at
> least put a mutex around the SASL calls from LDAP.  That might be easy
> enough and should fix it, with some performance loss of course.  Do you
> see problems when things are under load, or just randomly?  Have you
> heard anything about if MIT will modify their code to be threadsafe?

I haven't heard anything from MIT, nor pursued it with them.  We have found 
that using the MIT libraries leads to a variety of problems, from our JNDI 
application which writes to the directory server, to the directory servers 
and directory clients.  It leads to instability in slapd over time on the 
server side on light loads, and on heavy loads, you get slapd lockups, 
dropped connections, etc.  Given that compiling Cyrus-SASL with Heimdal 
works without problem, I suggest doing that for applications that will be 
accessing the directory as well as when compiling SASL support into 
Openldap.

--Quanah


--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html