[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap and MIT krb5-1.4

--On Saturday, January 29, 2005 7:19 PM -0500 dijuremo@math.gatech.edu wrote:


According to previous discussions on the list, the big deal about building
openldap against MIT Kerberos libraries was that the latest were not
thread safe.  According to the list of changes on the MIT Kerberos
website: http://web.mit.edu/kerberos/www/krb5-1.4/, their new release is
thread safe.

Has anyone tested building openldap against the new MIT Kerberos libraries
and tested it successfully?  The last time I tried this was with MIT
krb5-1.2 and openldap 2.1.X series; with that setup I could reliably crash
slapd while trying to use gssapi authentication.

Yes, I've tested the MIT libraries at the request of MIT many times.

Are there any other reasons to keep using heimdal rather than MIT krb5 on
the openldap servers other than the export restrictions?  It is my
understanding that the software export restrictions had changed a bit
allowing MIT kerberos to also be used more flexibly outside the U.S.

The MIT libraries are not quite as fast as the Heimdal ones the last time I tested. And unless you disable the replay cache, you'll run into some nasty issues that they don't plan on fixing.


Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

"These censorship operations against schools and libraries are stronger
than ever in the present religio-political climate. They often focus on
fantasy and sf books, which foster that deadly enemy to bigotry and blind
faith, the imagination." -- Ursula K. Le Guin