Re: Integration: MIT Kerberos V and OpenLDAP with SASL/GSSAPI

[Kevin <openldap@gnosys.biz>]

On Saturday 06 March 2004 16:41, Quanah Gibson-Mount wrote:
> Hi Kevin,
>
> Stanford is very much a MIT Krb5 shop, and we use it and its libraries
> for everything except the OpenLDAP servers.  I don't have the MIT krb5

So I guess that heimdal and MIT kerberos KDCs can work together pretty 
easily then (as master/slave KDCs?)?  I'm guessing you guys at Stanford 
don't have a separate KDC database for the OpenLDAP servers... or am I 
wrong on that?

> patches, as I've never pursued that route.  One reason is what they do
> is mutex all the calls, which I think would have a negative impact on
> performance over how Heimdal operates, and for us, the server

Also good to know (though I don't really understand threads well enough to 
know what a mutex is---I get the gist anyway: performance problems).

> performance is a very big deal.  It is not difficult to compile & run
> Heimdal.

I wouldn't even need to since SuSE 9 comes packaged with heimdal.  I opted 
to build MIT kerby 5 from source because I thought it would be more well 
tested for vulnerabilities and so forth.

>
> I've also worked some with the MIT folks on the threading issue, so I
> know it is on their to-do list.  However, I'm fairly certain that none
> of that work was put into 1.3.2.

Ok.  Thank you.

>
> You can find a lot about our configuration at:
>
> <http://www.stanford.edu/services/directory/openldap/configuration/inde
>x.ht ml>

Again, thanks for the pointer.


-- 
-Kevin