On Sep 1, 2006, at 7:42 AM, Quanah Gibson-Mount wrote:
...
I guess that depends on your definition of "works". Any time I've
tested OpenLDAP slapd compiled against MIT Kerberos instead of
Heimdal, it has been at *least* 4 times slower, and has a very high
rate of failed connections under load. Now understand, Stanford
*is* an MIT Kerberos shop. We use it for just about everything
from the KDC down. But quite frankly, if you want a stable,
reliable, fast OpenLDAP server, you simply don't link it against
MIT Kerberos at this time.
Do you mean, reliable & fast _under a significant GSS authentication
load_?
Above you appear to say that our server, linked with MIT Kerberos, simply
can't be fast and reliable. I have tried both ways - with Heimdal, with
MIT - and Heimdal wasn't nearly worth the trouble for us. But we don't
expect that much GSS authentication in the foreseeable future, because we
have no user-level applications for authenticated directory service. MIT
GSSAPI gives us the ability to respond to occasional demand that may
arise,
without much support burden (and with replay cache), and merely linking
against it certainly does not compromise slapd at all.