[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: errant SASL/GSSAPI setup?

--On Thursday, August 31, 2006 9:41 PM +0100 simon@sxw.org.uk wrote:

If you're using MIT Kerberos, I strongly suspect that the problem you're seeing is due to the behaviour of its GSSAPI library. With MIT's implementation a gssapi context is only valid for the lifetime of the initiator's credential. So, when your clients credentials expire, the security context also expires, and the client and server both start failing to decrypt each others packets. We first noticed this problem because slapd would crash when the decryption failure occurred - this problem no longer exists - but MIT Kerberos's behaviour has not changed.

Just renewing your credentials won't help, as the new credentials will
only be used when establishing a new security context, which only happens
when a new connection is opened.

Yep, MIT Kerberos is exactly what I was beginning to expect as well, which is why I asked about the Kerberos libraries being used. That's what it looks like is being used from Allan's libraries he provided as wel.

As mentioned on this list numerous times, do *not* use MIT kerberos with OpenLDAP. Bad things happen. Use Heimdal Kerberos.


Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html