[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP 2.1 (?) on RedHat Enterprise summary



On Thu, 6 May 2004, Quanah Gibson-Mount wrote:

> > There isn't any symbol pollution or anything, is there? Just risks if you
> > actually try to *use* kerberos calls in a multithreaded app?
> 
> No symbol polluting.  We install all the libraries into /usr/local/, and 
> that works just fine.  Note that OpenLDAP is a multi-threaded application, 
> which is why this matters.  I found that the entire application stack 
> (openssl,cyrus-sasl,openldap) became unstable when using MIT Kerberos, even 
> if I was simply doing anonymous binds to the OpenLDAP server.

But you still have kerberos *configured* in some way, don't you?

RedHat does modularize things pretty nicely; I've uninstalled the
cyrus-sasl-gssapi-2.1.15-3 package while keeping sasl-md5 and sasl-plain.

I am going to hope that as long as I don't have kerberos configured at all
(no keytab, no kerberos attributes or even schema in the directory), then
I'll be ok even with libk5crypto in openssl. If it still fails, then I
guess I'll compile a private openssl, too.

I want to avoid backing down to RHEL 2.1, which doesn't have openssl+krb5
or NPTL kernel issues, because it has such older versions of other things
we need.

Enough talk, time to actually start trying it!

Btw, are you doing any special magic nowadays to optimize sendmail's ldap
lookups, like connectionless or unix domain socket connections? I don't 
think this is really an issue for us -- the overhead of one TCP socket flap 
pales in comparison with virus scanning -- but just wondering.
-- 
Rich Graves <rcgraves@brandeis.edu>
UNet Systems Administrator