[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Q: Heimdal on RedHat

--On Tuesday, April 06, 2004 4:18 PM -0700 Donn Cave <donn@u.washington.edu> wrote:

On Tuesday, April 6, 2004, at 01:21 PM, Frank Swasey wrote:
I have seen the mantra here so many times that one should always
compile OpenLDAP using the Heimdal libraries.  However, on a RedHat
(Fedora or otherwise) system, the MIT libraries are so entertwined in
the os (SSL, SASL) that I'm wondering if anyone has crossed this bridge
before (or are you all like me and just continuing to use the MIT
libraries to this point) to compile OpenLDAP 2.1 on a RedHat system
the heimdal libraries and how you managed it.

I have only used Kerberos through Cyrus SASL, which I build myself. Redhat's SSL does depend on (its own) Kerberos. It does seem like that could pose a problem if both Heimdal and Redhat MIT are linked in as shared libraries, but they don't have to be - I link sasl's libgssapiv2.so with libkrb5.a etc., statically.

Or you can build your own SSL.

Or you can use MIT Kerberos.  I underestand Simon Wilkinson would
have the best patches for this, but it's not a huge programming feat
to add pthreads mutexes to cyrus-sasl's gssapi plugin.  I believe
that's an improvement over using Heimdal, whose thread safety is
after all only a matter of conjecture, without mutexes.

I've yet to see patched MIT Kerberos compare favorably performance wise with Heimdal, either. We have patched MIT libraries we use with our webauth system, and they are still problematic.


Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html