[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ACL/ACI && SASL



> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Turbo Fredriksson

> >>>>> "Stephen" == Stephen Frost <sfrost@snowman.net> writes:
>
>     Stephen> * Turbo Fredriksson (turbo@bayour.com) wrote:
>     Quanah> I will note that for the servers, you will want to compile
>     Quanah> them against Heimdal K5 and NOT MIT Kerberos V5 if you are
>     Quanah> using threads, as your servers will not be stable
>     Quanah> otherwise. ;) For clients, it doesn't really matter too
>     Quanah> much.
>     >>  There's no WAY i'm switching to KTH kerberos! Not for
>     >> 'sentimental' or or other 'strange' :) reasons. I'm not going
>     >> to rebuild my WHOLE site, with lots of users, usage etc,
>     >> etc. It will take WAY to much time, effort and most of all
>     >> MONEY to switch.
>     >>
>     >> It's just not a viable option if you think of it...
>
>     Stephen> Just as a note on this, threadsafety has been brought up
>     Stephen> the MIT folks and they have said they will work on having
>     Stephen> it in 1.4, iirc.
>
> Yes I know, I can hardly wait :)

Given that they're currently only at 1.2.8, you must be able to hold your
breath for an amazing length of time.
>
> But from what I've read on this list, it's not THAT big a problem...
>
> I've never had any problems with MIT Kerberos and OpenLDAP 2.0, even
> if I use threads...

You will. There are plenty of reports in the ITS from other people who have.
It's only a matter of time before your slapd crashes if you're using the MIT
library. Your attitude on this topic makes very little sense.

You don't need to rebuild your whole site. None of your existing Kerberos
accounts are affected. The only thing you need to do is build the Heimdal
libraries and then link slapd with them. This change only affects the machine
where slapd runs, none of your other clients ever needs to change.

Of course, when you're using SASL, you don't even need to link Kerberos into
slapd, you only need to build it into SASL.

Anyway, feel free to ignore all the good advice you're given. Just don't be
surprised when things fail.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support