[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap crashes on GSSAPI authentication





--On Friday, February 21, 2003 11:30 AM -0500 Stephen Frost <sfrost@snowman.net> wrote:

* Quanah Gibson-Mount (quanah@stanford.edu) wrote:
--On Friday, February 21, 2003 10:09 AM -0500 Stephen Frost
<sfrost@snowman.net> wrote:
> Havn't had any problems here so far, though I havn't hit the ldap
> server very hard.

I have, and I guarantee you that the MIT libraries are not thread safe.
Heimdal-0.5.1 is not thread safe, either.  You need to get a version of
Heimdal later than 0.5.1 (via CVS), and compile that.  There is also one
small patch you need to apply to the CVS code, unless you are compiling
on  AIX:

Hrm, well, that's unfortunate. I wonder if it might be possible to at least put a mutex around the SASL calls from LDAP. That might be easy enough and should fix it, with some performance loss of course. Do you see problems when things are under load, or just randomly? Have you heard anything about if MIT will modify their code to be threadsafe?

I haven't heard anything from MIT, nor pursued it with them. We have found that using the MIT libraries leads to a variety of problems, from our JNDI application which writes to the directory server, to the directory servers and directory clients. It leads to instability in slapd over time on the server side on light loads, and on heavy loads, you get slapd lockups, dropped connections, etc. Given that compiling Cyrus-SASL with Heimdal works without problem, I suggest doing that for applications that will be accessing the directory as well as when compiling SASL support into Openldap.


--Quanah


-- Quanah Gibson-Mount Senior Systems Administrator ITSS/TSS/Computing Systems Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html