[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: errant SASL/GSSAPI setup?

--On Thursday, August 31, 2006 2:19 PM -0400 "Allan E. Johannesen" <aej@WPI.EDU> wrote:

"quanah" == Quanah Gibson-Mount <quanah@stanford.edu> writes:

quanah> Oh, I had another thought... Why are your replica's getting quanah> disconnected in the first place? The point of the persistent quanah> connection is for it to always stay active. Do you have some type of quanah> limits set on the master for connections? If you do, you need to quanah> bypass those for your replicas repliation DN with the "limits" command quanah> in the master's slapd.conf.

The point is that it doesn't disconnect.  It doesn't do anything.  It
needs to disconnect, but the master can't send to it, due to the expired
ticket, and the client just waits listening on the open socket but
nothing arrives.  I seem not to have been able to explain this well.

But my point is, it shouldn't be initiating a disconnect in the first place (because then the connection isn't persistent).

I absolutely understand that you are having an issue, but I don't think it is because of the reasons that you think it is. Let me give you another persistent connection example.

I am logged into System A. I do a kerberos login to System B.

Now, I can stay logged into System B as long as I want (days, months, years) across ticket expirations and renewing my tickets, and even if my tickets expire on System A. My connection between System A and System B *remains* encrypted and connected. If you use kerberos logins, you are probably aware of this. What we are talking about with the LDAP servers is really no different from a connection standpoint.

Now, I have a different question -- What Kerberos libraries are your ldap servers using?


-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html