[Date Prev][Date Next]
Re: Heimdal Vs. MIT Round 4
On Friday, July 30, 2004, at 09:52 AM, Quanah Gibson-Mount wrote:
Yesterday, I tested OpenLDAP using Heimdal and OpenLDAP using a
6/24/2004 HEAD checkout of MIT Kerberos (It has mutex protections in
Overall, results for MIT Kerberos have improved -- The server never
locked up, and it was able to keep a reasonable number of clients
Heimdal was able to keep 29 without issue.
Cyrus-SASL 2.1.19 (This release does *not* have mutex protections in.)
BDB 4.2.52 (plus 2 patches)
Note the far superior speed performance when using Heimdal. So,
although I understand that people often would prefer to have only a
single Kerberos to use, if you go with MIT as the underlying Kerberos
to build cyrus-sasl against, you are looking at getting 3x+ worse
performance than if you went with Heimdal.
I haven't explored this issue in detail, since my application is in
general going to be host-authorized and authenticated via certificate.
But when I tested performance with GSSAPI authentication, I found that
it was significantly slower than SSL certificates. To my surprise,
since I had expected the cryptography to be more expensive, but I think
the explanation is "replay" detection, which requires the server to
maintain a little database of incoming authentications. An MIT server,
anyway, as that was what I was using - Heimdal's replay cache system
may be different. That could sure limit the rate of concurrent
authentications, and the effect could vary a lot between
Could be an issue, if you have an application where the rate of GSSAPI
authentications is the limiting factor.
Donn Cave, email@example.com