[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: open ldap with SASL & GSSAPI

To: openldap-software@openldap.org
Subject: Re: open ldap with SASL & GSSAPI
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Thu, 09 Nov 2006 10:01:19 -0800
Content-disposition: inline
In-reply-to: <AC072E52-4190-4DEC-82CF-F44ACCBB49EE@u.washington.edu>
References: <1163016506.2686.16.camel@minitop.jive-turkey.net> <45529237.2060109@symas.com> <1163047865.2686.49.camel@minitop.jive-turkey.net> <AC072E52-4190-4DEC-82CF-F44ACCBB49EE@u.washington.edu>

--On Thursday, November 09, 2006 9:48 AM -0800 Donn Cave <donn@u.washington.edu> wrote:

On the other hand, we use MIT Kerberos with slapd.  I have
observed reduced authentication speed, compared to SSL, but
as I understand it that comes from replay cache functionality
in the MIT server that serves an arguably desirable purpose.
With current Cyrus SASL, I don't see any serious problem with
MIT Kerberos, but if you're expecting an extremely heavy load
of GSSAPI authentication and are willing to dispense with the
replay cache checks, your perspective might be different.

Funny, because the MIT developers always tell me to turn off the replay cache first thing, when using the MIT libraries, as it is something they seem to feel should *not* be used with OpenLDAP.

Set KRB5RCACHETYPE to "none".

--Quanah


--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

References:
- open ldap with SASL & GSSAPI
  - From: Maxwell Bottiger <sleepylight@jive-turkey.net>
- Re: open ldap with SASL & GSSAPI
  - From: Howard Chu <hyc@symas.com>
- Re: open ldap with SASL & GSSAPI
  - From: Maxwell Bottiger <sleepylight@jive-turkey.net>
- Re: open ldap with SASL & GSSAPI
  - From: Donn Cave <donn@u.washington.edu>

Prev by Date: Re: slow queries with long strings in filters
Next by Date: Re: slow queries with long strings in filters
Index(es):
- Chronological
- Thread