Re: Integration: MIT Kerberos V and OpenLDAP with SASL/GSSAPI

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Saturday, March 06, 2004 2:17 PM -0500 Kevin <openldap@gnosys.biz> 
wrote:

> On Saturday 06 March 2004 13:36, Quanah Gibson-Mount
> wrote:
> Quanah-
>
> Thanks very much for your reply.  I hadn't given any
> consideration to this issue at all.  What can I read
> to learn more about this thread issue?  I have only
> the most basic understanding of it, and I had the
> impression that MIT Kerberos V was sort-of the "Gold
> Standard" Kerberos implementation and as such, I
> thought I wouldn't have to worry about things like
> threads and stuff.
>
> If there is a patch the the MIT Kerberos sources to
> resolve this, could someone post it?  I just noticed
> that v1.3.2 of MIT Kerberos V has recently been
> released.  Does this problem also apply to 1.3.2, and
> will the patch work on 1.3.2?
>
> Thanks very kindly for pointing this out.

Hi Kevin,

Stanford is very much a MIT Krb5 shop, and we use it and its libraries for 
everything except the OpenLDAP servers.  I don't have the MIT krb5 patches, 
as I've never pursued that route.  One reason is what they do is mutex all 
the calls, which I think would have a negative impact on performance over 
how Heimdal operates, and for us, the server performance is a very big 
deal.  It is not difficult to compile & run Heimdal.

I've also worked some with the MIT folks on the threading issue, so I know 
it is on their to-do list.  However, I'm fairly certain that none of that 
work was put into 1.3.2.

You can find a lot about our configuration at:

<http://www.stanford.edu/services/directory/openldap/configuration/index.ht
ml>

Note that those pages are slightly behind IRT the versions we have 
deployed, but in general the build parameters apply.

--Quanah


--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html