On 15 Apr 2008, at 19:19, Quanah Gibson-Mount wrote:
As for the credential expiration issue, as far as I'm aware, the
MIT folks have no desire to change how things behave now. If you
don't want to deal with the problem, use a cyrus-sasl linked
against Heimdal instead of MIT on your OpenLDAP servers.
Unfortunately, I think OpenLDAP needs to fix this problem. Continuing
to use a connection past the lifetime of its security context is a
bug.
Just because Heimdal currently permits it doesn't make it any
less of a bug, and if Heimdal fixes its behaviour, OpenLDAP will
break. Given that SASL has no way of renegotiating a connection,
OpenLDAP needs to detect the connection failure, and close and reopen
the connection.
I keep thinking about fixing this - at the moment, we just restart
our slave slapds just before their credentials expire.
Cheers,
Simon.