[Date Prev][Date Next]
Re: errant SASL/GSSAPI setup?
On Sep 1, 2006, at 7:42 AM, Quanah Gibson-Mount wrote:
I guess that depends on your definition of "works". Any time I've
tested OpenLDAP slapd compiled against MIT Kerberos instead of
Heimdal, it has been at *least* 4 times slower, and has a very high
rate of failed connections under load. Now understand, Stanford
*is* an MIT Kerberos shop. We use it for just about everything
from the KDC down. But quite frankly, if you want a stable,
reliable, fast OpenLDAP server, you simply don't link it against
MIT Kerberos at this time.
Do you mean, reliable & fast _under a significant GSS authentication
Above you appear to say that our server, linked with MIT Kerberos,
can't be fast and reliable. I have tried both ways - with Heimdal, with
MIT - and Heimdal wasn't nearly worth the trouble for us. But we don't
expect that much GSS authentication in the foreseeable future,
have no user-level applications for authenticated directory service.
GSSAPI gives us the ability to respond to occasional demand that may
without much support burden (and with replay cache), and merely linking
against it certainly does not compromise slapd at all.
Of course it would be foolish to discount your experience, but I agree
with Andreas when it comes to what you're saying, as opposed to what
I suppose you mean.
Donn Cave, email@example.com