[Date Prev][Date Next]
Re: errant SASL/GSSAPI setup?
- To: Quanah Gibson-Mount <firstname.lastname@example.org>
- Subject: Re: errant SASL/GSSAPI setup?
- From: Simon Wilkinson <email@example.com>
- Date: Thu, 21 Sep 2006 10:45:18 +0100
- Cc: "Allan E. Johannesen" <aej@WPI.EDU>, openldap-software@OpenLDAP.org
- In-reply-to: <2BC57B9BC8697D3A288A8A7D@SW-90-717-287-3.stanford.edu>
- References: <20060831204134.2D79CD000219@mwinf7001.orange.net> <2BC57B9BC8697D3A288A8A7D@SW-90-717-287-3.stanford.edu>
On 31 Aug 2006, at 22:59, Quanah Gibson-Mount wrote:
Yep, MIT Kerberos is exactly what I was beginning to expect as
well, which is why I asked about the Kerberos libraries being
used. That's what it looks like is being used from Allan's
libraries he provided as wel.
As mentioned on this list numerous times, do *not* use MIT kerberos
with OpenLDAP. Bad things happen. Use Heimdal Kerberos.
I've been thinking further about this. Whilst not wanting to get
drawn into an MIT Kerberos vs Heimdal debate, I think that in this
case Heimdal's behaviour is in error.
The lifetime of a GSSAPI context is derived from the minimum of the
requested lifetime, the lifetime of the initiator credentials, and
the lifetime of the acceptor credentials. Cyrus doesn't request a
minimum lifetime, and Kerberos acceptors don't have a lifetime (they
come from the keytab), so the lifetime becomes equal to the lifetime
of the initiator credentials.
It's fairly clear that allowing encryption options to occur within a
context whose lifetime has expired is an error. Unfortunately, SASL-
GSSAPI has no concept of rekeying an existing connection, so the only
option upon context expiry is to tear down and build a new connection.
Whilst this isn't the correct forum for discussing the details of
GSSAPI security contexts, or of the limitations of the current SASL-
GSSAPI mechansim, there is a general OpenLDAP issue here. OpenLDAP
needs to be able to handle a session for which security layer
operations start failing, and to be able to deal with (on the
'client' side) re-establishing connections where this occurs