[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Help with SASL/GSSAPI to remote Kerberos server

Russ Allbery <rra@stanford.edu> writes:

> That's a really good question and I don't know the answer to that.  I
> can imagine reasons why it would be both ways.  This might be a good
> question to ask on kerberos@mit.edu, and I may go do that for my own
> curiosity.

Ken Raeburn says:

| We currently assume that a security context is used in only one thread
| at a time, so you could switch between threads, just not use it
| simultaneously in multiple threads.  But the person looking into it
| earlier concluded that there may not be anything besides the sequence
| number that's actually subject to race conditions there (and that
| window's probably small enough that it might "work fine in practice"
| much of the time, but no promises), so we could look into extending the
| concurrency for this case, and just do some internal locking around the
| sequence number accesses.

So indeed, don't use MIT Kerberos with OpenLDAP for right now until that
additional locking is in place.  Once it is, it should be safe.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>