[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Confusion over MIT/Heimdal compatibility

To: Quanah Gibson-Mount <quanah@zimbra.com>
Subject: Re: Confusion over MIT/Heimdal compatibility
From: Simon Wilkinson <simon@sxw.org.uk>
Date: Tue, 15 Apr 2008 19:50:08 +0100
Cc: Dominic Hargreaves <dominic.hargreaves@oucs.ox.ac.uk>, openldap-software@openldap.org
In-reply-to: <6B267F50FB838ED640A6ECFE@[192.168.1.198]>
References: <20080415160213.GD5820@gunboat-diplomat.oucs.ox.ac.uk> <6B267F50FB838ED640A6ECFE@[192.168.1.198]>

On 15 Apr 2008, at 19:19, Quanah Gibson-Mount wrote:

As for the credential expiration issue, as far as I'm aware, the MIT folks have no desire to change how things behave now. If you don't want to deal with the problem, use a cyrus-sasl linked against Heimdal instead of MIT on your OpenLDAP servers.

Unfortunately, I think OpenLDAP needs to fix this problem. Continuing to use a connection past the lifetime of its security context is a bug. Just because Heimdal currently permits it doesn't make it any less of a bug, and if Heimdal fixes its behaviour, OpenLDAP will break. Given that SASL has no way of renegotiating a connection, OpenLDAP needs to detect the connection failure, and close and reopen the connection.

I keep thinking about fixing this - at the moment, we just restart our slave slapds just before their credentials expire.

Cheers,

Simon.

Follow-Ups:
- Re: Confusion over MIT/Heimdal compatibility
  - From: Howard Chu <hyc@symas.com>

References:
- Confusion over MIT/Heimdal compatibility
  - From: Dominic Hargreaves <dominic.hargreaves@oucs.ox.ac.uk>
- Re: Confusion over MIT/Heimdal compatibility
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: Re: insecure, convenient use of SSL
Next by Date: Re: A question about pwdMinAge
Index(es):
- Chronological
- Thread