[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: errant SASL/GSSAPI setup?

To: simon@sxw.org.uk, "Allan E. Johannesen" <aej@WPI.EDU>
Subject: Re: errant SASL/GSSAPI setup?
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Thu, 31 Aug 2006 14:59:10 -0700
Cc: openldap-software@OpenLDAP.org
Content-disposition: inline
In-reply-to: <20060831204134.2D79CD000219@mwinf7001.orange.net>
References: <20060831204134.2D79CD000219@mwinf7001.orange.net>

--On Thursday, August 31, 2006 9:41 PM +0100 simon@sxw.org.uk wrote:


If you're using MIT Kerberos, I strongly suspect that the problem you're
seeing is due to the behaviour of its GSSAPI library. With MIT's
implementation a gssapi context is only valid for the lifetime of the
initiator's credential. So, when your clients credentials expire, the
security context also expires, and the client and server both start
failing to decrypt each others packets. We first noticed this problem
because slapd would crash when the decryption failure occurred - this
problem no longer exists - but MIT Kerberos's behaviour has not changed.

Just renewing your credentials won't help, as the new credentials will
only be used when establishing a new security context, which only happens
when a new connection is opened.

Yep, MIT Kerberos is exactly what I was beginning to expect as well, which is why I asked about the Kerberos libraries being used. That's what it looks like is being used from Allan's libraries he provided as wel.

As mentioned on this list numerous times, do *not* use MIT kerberos with OpenLDAP. Bad things happen. Use Heimdal Kerberos.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

References:
- Re: errant SASL/GSSAPI setup?
  - From: <simon@sxw.org.uk>

Prev by Date: Re: errant SASL/GSSAPI setup?
Next by Date: Re: errant SASL/GSSAPI setup?
Index(es):
- Chronological
- Thread