[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap and MIT krb5-1.4

--On Monday, January 31, 2005 10:14 AM -0200 Andreas Hasenack <andreas@conectiva.com.br> wrote:

On Sat, Jan 29, 2005 at 05:46:50PM -0800, Quanah Gibson-Mount wrote:
tested.  And unless you disable the replay cache, you'll run into some
nasty issues that they don't plan on fixing.

Isn't the replay cache a "good thing" to have? regarding Kerberos security?

On the kerberos servers, yes. If you have a server dedicated to LDAP, no. Especially not if it is a high-volume server. The current K5 replay cache uses the timestamp of an incoming request in the replay cache, and it is entirely possible to have multiple requests come in at the same time. This has some nasty consequences (dropped connections), and won't be fixed for the time being.


Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

"These censorship operations against schools and libraries are stronger
than ever in the present religio-political climate. They often focus on
fantasy and sf books, which foster that deadly enemy to bigotry and blind
faith, the imagination." -- Ursula K. Le Guin