[Date Prev][Date Next]
Re: errant SASL/GSSAPI setup?
--On Friday, September 01, 2006 9:45 AM -0300 Andreas Hasenack
On Thu, Aug 31, 2006 at 02:59:10PM -0700, Quanah Gibson-Mount wrote:
Yep, MIT Kerberos is exactly what I was beginning to expect as well,
which is why I asked about the Kerberos libraries being used. That's
what it looks like is being used from Allan's libraries he provided as
As mentioned on this list numerous times, do *not* use MIT kerberos with
OpenLDAP. Bad things happen. Use Heimdal Kerberos.
I'm sorry, but this is harsh. I have used mit kerberos for years with
openldap and it works just fine for me. Also, consider that heimdal
development seems stalled and mit's is thriving, and that no current
linux distro ships it by default anymore. I even sent some trivial
patches to the heimdal list and got absolutely no response. Sometimes I
even wonder if I'm still subscribed, given the super low traffic.
I guess that depends on your definition of "works". Any time I've tested
OpenLDAP slapd compiled against MIT Kerberos instead of Heimdal, it has
been at *least* 4 times slower, and has a very high rate of failed
connections under load. Now understand, Stanford *is* an MIT Kerberos
shop. We use it for just about everything from the KDC down. But quite
frankly, if you want a stable, reliable, fast OpenLDAP server, you simply
don't link it against MIT Kerberos at this time.
I also work directly with the MIT Kerberos developers in this testing, and
they have worked hard to improve how their implementation works. In fact,
one of my co-workers is one of the MIT Kerberos developers. ;)
Intersetingly enough, this revelation about the broken behavior in MIT
Kerberos and SASL/GSSAPI actually explains some problems we've seen in our
applications using MIT Kerberos. I filed a bug on this with the MIT
Kerberos folks, and they are looking at how they want to solve it.
Principal Software Developer
ITS/Shared Application Services
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html