[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: errant SASL/GSSAPI setup?

--On Friday, September 01, 2006 9:45 AM -0300 Andreas Hasenack <ahasenack@terra.com.br> wrote:

On Thu, Aug 31, 2006 at 02:59:10PM -0700, Quanah Gibson-Mount wrote:
Yep, MIT Kerberos is exactly what I was beginning to expect as well,
which  is why I asked about the Kerberos libraries being used.  That's
what it  looks like is being used from Allan's libraries he provided as

As mentioned on this list numerous times, do *not* use MIT kerberos with
OpenLDAP.  Bad things happen.  Use Heimdal Kerberos.

I'm sorry, but this is harsh. I have used mit kerberos for years with openldap and it works just fine for me. Also, consider that heimdal development seems stalled and mit's is thriving, and that no current linux distro ships it by default anymore. I even sent some trivial patches to the heimdal list and got absolutely no response. Sometimes I even wonder if I'm still subscribed, given the super low traffic.

I guess that depends on your definition of "works". Any time I've tested OpenLDAP slapd compiled against MIT Kerberos instead of Heimdal, it has been at *least* 4 times slower, and has a very high rate of failed connections under load. Now understand, Stanford *is* an MIT Kerberos shop. We use it for just about everything from the KDC down. But quite frankly, if you want a stable, reliable, fast OpenLDAP server, you simply don't link it against MIT Kerberos at this time.

I also work directly with the MIT Kerberos developers in this testing, and they have worked hard to improve how their implementation works. In fact, one of my co-workers is one of the MIT Kerberos developers. ;)

Intersetingly enough, this revelation about the broken behavior in MIT Kerberos and SASL/GSSAPI actually explains some problems we've seen in our applications using MIT Kerberos. I filed a bug on this with the MIT Kerberos folks, and they are looking at how they want to solve it.


Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html