[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Help with SASL/GSSAPI to remote Kerberos server
Russ Allbery <rra@stanford.edu> writes:
> That's a really good question and I don't know the answer to that. I
> can imagine reasons why it would be both ways. This might be a good
> question to ask on kerberos@mit.edu, and I may go do that for my own
> curiosity.
Ken Raeburn says:
| We currently assume that a security context is used in only one thread
| at a time, so you could switch between threads, just not use it
| simultaneously in multiple threads. But the person looking into it
| earlier concluded that there may not be anything besides the sequence
| number that's actually subject to race conditions there (and that
| window's probably small enough that it might "work fine in practice"
| much of the time, but no promises), so we could look into extending the
| concurrency for this case, and just do some internal locking around the
| sequence number accesses.
So indeed, don't use MIT Kerberos with OpenLDAP for right now until that
additional locking is in place. Once it is, it should be safe.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>