[Date Prev][Date Next]
Re: errant SASL/GSSAPI setup?
--On Thursday, August 31, 2006 2:19 PM -0400 "Allan E. Johannesen"
"quanah" == Quanah Gibson-Mount <firstname.lastname@example.org> writes:
quanah> Oh, I had another thought... Why are your replica's getting
quanah> disconnected in the first place? The point of the persistent
quanah> connection is for it to always stay active. Do you have some
type of quanah> limits set on the master for connections? If you do, you
need to quanah> bypass those for your replicas repliation DN with the
"limits" command quanah> in the master's slapd.conf.
The point is that it doesn't disconnect. It doesn't do anything. It
needs to disconnect, but the master can't send to it, due to the expired
ticket, and the client just waits listening on the open socket but
nothing arrives. I seem not to have been able to explain this well.
But my point is, it shouldn't be initiating a disconnect in the first place
(because then the connection isn't persistent).
I absolutely understand that you are having an issue, but I don't think it
is because of the reasons that you think it is. Let me give you another
persistent connection example.
I am logged into System A. I do a kerberos login to System B.
Now, I can stay logged into System B as long as I want (days, months,
years) across ticket expirations and renewing my tickets, and even if my
tickets expire on System A. My connection between System A and System B
*remains* encrypted and connected. If you use kerberos logins, you are
probably aware of this. What we are talking about with the LDAP servers is
really no different from a connection standpoint.
Now, I have a different question -- What Kerberos libraries are your ldap
Principal Software Developer
ITS/Shared Application Services
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html