[Date Prev][Date Next] [Chronological] [Thread] [Top]

Antwort: Re: SASL/GSSAPI auth stops working after slapd restart [Virus checked]

>> I'm testing this on rather standard Mandrake Linux 9.2 install, with
>> following software installed:
>> cyrus-SASL  v2.1.15
>> OpenLDAP v2.1.22
>> (MIT) Kerberos v1.3

>I say this, repeatedly... OpenLDAP should not be used on the server side

I noticed this. .-)

>with MIT KRB5, because MIT KRB5 is very broken in relation to threading.  I

I presume that "broken threading" means that problems occur if/when two authorisation requests come at a same time?

What are exactly the type problems that can be expected from this side?

 - slapd dies?
 - kerberos dies?
 - false positive results? (someone binds with false credentials)
 - false negative results? (temporarly unable to bind with right credentials)
 - LDAP DB corruption?
 - Kerberos DB corruption?
 - other?

>will also note that OpenLDAP 2.1.22 is old and was rather problematic, and
>there have been a lot of bug fixes since then.

>I suggest you
>A) Upgrade to a recent server version

OK, will try this first

>B) Compile your server against Heimdal

From your old mails I understood that only slapd needs to be compiled against Heimdal libraries, while all the rest can remain as it is (i.e. MIT-centric). Is this correct?

Somewhat related question: I read something about Heimdal being able to use LDAP as backend DB, or such, but can't find any good documentation on this thema. Is this something one should seriously consider if/when building LDAP+Kerberos auth. server?

I can kind of imagine that having keytabs and such in LDAP tree could help in assuring that every host in the network accesses the same data, and that this might cut down the synchronisation problems but...


T-Mobile Austria GmbH,
Information Technologies / Services
Knowledge Management & Process Automation

Dr. Denis Havlik,                             eMail: denis.havlik@t-mobile.at
Rennweg 12, Zi. 444                       Phone: +43-1-79-585/6237          
A-1030 Vienna                                  Fax: +43-1-795-85/6584