[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Help with SASL/GSSAPI to remote Kerberos server

To: Russ Allbery <rra@stanford.edu>
Subject: Re: Help with SASL/GSSAPI to remote Kerberos server
From: Howard Chu <hyc@symas.com>
Date: Tue, 19 Feb 2008 23:24:50 -0800
Cc: openldap-technical@openldap.org
In-reply-to: <87d4qsjfxx.fsf@windlord.stanford.edu>
References: <47BB72A7.9060205@ucsc.edu> <47BBB668.5050504@symas.com> <87d4qsjfxx.fsf@windlord.stanford.edu>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9b3pre) Gecko/2008013117 SeaMonkey/2.0a1pre

Russ Allbery wrote:

Howard Chu<hyc@symas.com> writes:

Wes Modes wrote:

Specifics of my configuration:

     * OS: Red Hat Enterprise 4 v2.6.9
     * OpenLDAP v2.2.13
     * Local MIT Kerberos5 v1.3.4
     * KDC: MIT Kerberos5 v?
     * Cyrus SASL v2.1.19

All of these versions are far outdated, and MIT Kerberos is known to be
unsafe in a threaded environment (and yes, OpenLDAP slapd is threaded).


That is definitely true of that version of MIT Kerberos, which if I recall
correctly made no attempt at thread safety whatsoever.

The MIT Kerberos team believes that they've fixed all the thread safety
correctness bugs, within the thread safety guarantees that the library
attempts to provide [1], in the current release (1.6.3) and would welcome
bug reports for any remaining problems.  I believe that OpenLDAP does meet
the prerequisites for using MIT Kerberos safely.


Hmm....

[1] MIT Kerberos only supports thread safety provided that no single
     krb5_context is used from multiple threads.  Each thread needs to have
     its own krb5_context.  In a GSSAPI context, this means that you must
     ensure that only one thread uses each GSSAPI security context.

Is this condition strictly on the authentication process, or also on the encryption library in general?

There are no such guarantees inside slapd. There is one context per connection, but multiple operations may be active on a single connection at the same time, and each operation executes in a separate thread. But since there can only be one authentication outstanding per connection, it may be OK.

Otherwise, while only one thread at a time can read a connection, and only one thread at a time can write on a connection, both reads and writes can occur simultaneously. This is a very common case for a client that issues a batch of asynchronous operations and streams the replies. From your description above, this case will still break with MIT Kerberos. I gave up on the MIT code back in 1.3.x, so I haven't tested this lately. Someone who cares about MIT's code probably should take a look at it though. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

Follow-Ups:
- Re: Help with SASL/GSSAPI to remote Kerberos server
  - From: Russ Allbery <rra@stanford.edu>

References:
- Help with SASL/GSSAPI to remote Kerberos server
  - From: Wes Modes <wmodes@ucsc.edu>
- Re: Help with SASL/GSSAPI to remote Kerberos server
  - From: Howard Chu <hyc@symas.com>
- Re: Help with SASL/GSSAPI to remote Kerberos server
  - From: Russ Allbery <rra@stanford.edu>

Prev by Date: Re: Password change synchronization
Next by Date: Re: Password change synchronization
Index(es):
- Chronological
- Thread