[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Confusion over MIT/Heimdal compatibility

To: Simon Wilkinson <simon@sxw.org.uk>
Subject: Re: Confusion over MIT/Heimdal compatibility
From: Howard Chu <hyc@symas.com>
Date: Tue, 15 Apr 2008 13:32:20 -0700
Cc: Dominic Hargreaves <dominic.hargreaves@oucs.ox.ac.uk>, openldap-software@openldap.org
In-reply-to: <301F3BFA-1AC9-4955-ADBE-F365F4ABF64D@sxw.org.uk>
References: <20080415160213.GD5820@gunboat-diplomat.oucs.ox.ac.uk> <6B267F50FB838ED640A6ECFE@[192.168.1.198]> <301F3BFA-1AC9-4955-ADBE-F365F4ABF64D@sxw.org.uk>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9b5pre) Gecko/2008030700 SeaMonkey/2.0a1pre

Simon Wilkinson wrote:

On 15 Apr 2008, at 19:19, Quanah Gibson-Mount wrote:

  As for the credential expiration issue, as far as I'm aware, the
MIT folks have no desire to change how things behave now.  If you
don't want to deal with the problem, use a cyrus-sasl linked
against Heimdal instead of MIT on your OpenLDAP servers.


Unfortunately, I think OpenLDAP needs to fix this problem. Continuing
to use a connection past the lifetime of its security context is a
bug.

As explained previously on this list, it's a difference in philosophy, not a bug. Heimdal and OpenLDAP follow the Unix philosophy - permission checking is done upon first access to a resource. Once you obtain access to the resource, it's yours until you give it up, no matter what other subsequent permission changes occur while you're using it. You may not like this behavior, but it's consistent and predictable.

You might argue that the MIT approach is more correct, but I would say that it's highly inconsistent, and inconsistency is highly undesirable in a security mechanism. For instance, by your thinking, if you decide that security contexts must all be invalidated whenever and wherever they are changed, then you also need to close all connections whenever somebody changes their password, because any sessions established with the old password must now be considered invalid. The fact that MIT Kerberos doesn't do this should be considered an inconsistency in their implementation, and a security bug.

Ultimately I think the MIT implementation reflects muddy thinking, at multiple levels.

Just because Heimdal currently permits it doesn't make it any
less of a bug, and if Heimdal fixes its behaviour, OpenLDAP will
break. Given that SASL has no way of renegotiating a connection,
OpenLDAP needs to detect the connection failure, and close and reopen
the connection.

I keep thinking about fixing this - at the moment, we just restart
our slave slapds just before their credentials expire.

Cheers,

Simon.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: Confusion over MIT/Heimdal compatibility
  - From: Simon Wilkinson <simon@sxw.org.uk>

References:
- Confusion over MIT/Heimdal compatibility
  - From: Dominic Hargreaves <dominic.hargreaves@oucs.ox.ac.uk>
- Re: Confusion over MIT/Heimdal compatibility
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: Confusion over MIT/Heimdal compatibility
  - From: Simon Wilkinson <simon@sxw.org.uk>

Prev by Date: Re: Confusion over MIT/Heimdal compatibility
Next by Date: Re: Confusion over MIT/Heimdal compatibility
Index(es):
- Chronological
- Thread