[Date Prev][Date Next]
Re: errant SASL/GSSAPI setup?
--On Thursday, August 31, 2006 9:41 PM +0100 firstname.lastname@example.org wrote:
If you're using MIT Kerberos, I strongly suspect that the problem you're
seeing is due to the behaviour of its GSSAPI library. With MIT's
implementation a gssapi context is only valid for the lifetime of the
initiator's credential. So, when your clients credentials expire, the
security context also expires, and the client and server both start
failing to decrypt each others packets. We first noticed this problem
because slapd would crash when the decryption failure occurred - this
problem no longer exists - but MIT Kerberos's behaviour has not changed.
Just renewing your credentials won't help, as the new credentials will
only be used when establishing a new security context, which only happens
when a new connection is opened.
Yep, MIT Kerberos is exactly what I was beginning to expect as well, which
is why I asked about the Kerberos libraries being used. That's what it
looks like is being used from Allan's libraries he provided as wel.
As mentioned on this list numerous times, do *not* use MIT kerberos with
OpenLDAP. Bad things happen. Use Heimdal Kerberos.
Principal Software Developer
ITS/Shared Application Services
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html