Re: errant SASL/GSSAPI setup?

[Donn Cave <donn@u.washington.edu>]

On Sep 1, 2006, at 7:42 AM, Quanah Gibson-Mount wrote:

...
> I guess that depends on your definition of "works".  Any time I've  
> tested OpenLDAP slapd compiled against MIT Kerberos instead of  
> Heimdal, it has been at *least* 4 times slower, and has a very high  
> rate of failed connections under load.  Now understand, Stanford  
> *is* an MIT Kerberos shop.  We use it for just about everything  
> from the KDC down.  But quite frankly, if you want a stable,  
> reliable, fast OpenLDAP server, you simply don't link it against  
> MIT Kerberos at this time.

Do you mean, reliable & fast _under a significant GSS authentication  
load_?

Above you appear to say that our server, linked with MIT Kerberos,  
simply
can't be fast and reliable.  I have tried both ways - with Heimdal, with
MIT - and Heimdal wasn't nearly worth the trouble for us.  But we don't
expect that much GSS authentication in the foreseeable future,  
because we
have no user-level applications for authenticated directory service.   
MIT
GSSAPI gives us the ability to respond to occasional demand that may  
arise,
without much support burden (and with replay cache), and merely linking
against it certainly does not compromise slapd at all.

Of course it would be foolish to discount your experience, but I agree
with Andreas when it comes to what you're saying, as opposed to what
I suppose you mean.

	Donn Cave, donn@u.washington.edu