[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Centralized LDAP Authentication or Kerberos+LDAP Authentication

To: openldap-software@OpenLDAP.org
Subject: Re: Centralized LDAP Authentication or Kerberos+LDAP Authentication
From: Rich Graves <rcgraves@brandeis.edu>
Date: Sun, 22 Aug 2004 11:23:14 -0400 (EDT)

> You may view them at:
> http://web.singnet.com.sg/~garyttt/

Thanks for contributing what you're learning, but don't follow these
directions in a production environment.

Your init script, like redhat's, stops the server with kill -9. Especially
with a bdb backend, this will corrupt your dababase and cause master and
slave to get out of sync. (RedHat's ldap.init is mostly ok with openldap
2.0.27/ldbm, to the limited extent that openldap 2.0.27/ldbm is ok. With
2.2.x/bdb, though, you need to use -HUP or at most -TERM.)

You don't mention DB_CONFIG. If you add a nontrivial number of entries, the 
server will fail without one.

Overwriting redhat's openldap, openssl, and db4 libs in /usr is likely to
cause programs linked with the stock versions, such as sendmail, to crash
at some point. Either rebuild the whole system or segregate in /opt or
/usr/local.

It is not safe to use MIT kerberos in multithreaded applications 
like openldap without patches.
-- 
Rich Graves <rcgraves@brandeis.edu>
UNet Systems Administrator

Follow-Ups:
- Re: Centralized LDAP Authentication or Kerberos+LDAP Authentication
  - From: Tony Earnshaw <tonye@billy.demon.nl>

Prev by Date: Re: schema error
Next by Date: Re: Also, Re: What is err=52?
Index(es):
- Chronological
- Thread