[Date Prev][Date Next]
Re: Openldap and MIT krb5-1.4
--On Monday, January 31, 2005 10:14 AM -0200 Andreas Hasenack
On Sat, Jan 29, 2005 at 05:46:50PM -0800, Quanah Gibson-Mount wrote:
tested. And unless you disable the replay cache, you'll run into some
nasty issues that they don't plan on fixing.
Isn't the replay cache a "good thing" to have? regarding Kerberos
On the kerberos servers, yes. If you have a server dedicated to LDAP, no.
Especially not if it is a high-volume server. The current K5 replay cache
uses the timestamp of an incoming request in the replay cache, and it is
entirely possible to have multiple requests come in at the same time. This
has some nasty consequences (dropped connections), and won't be fixed for
the time being.
Principal Software Developer
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
"These censorship operations against schools and libraries are stronger
than ever in the present religio-political climate. They often focus on
fantasy and sf books, which foster that deadly enemy to bigotry and blind
faith, the imagination." -- Ursula K. Le Guin