On Mon, 2005-10-31 at 09:36 +0500, Ilia Chipitsine wrote: > ldaps also is good idea :-) The main issue with moving off-host is that heimdal is single-threaded, and would need to cache connections and handle disconnects much better. Samba has a lot of experience in this area, and we found it is actually a lot of work. While it is rarely a problem in the single-host setup, if your remote ldap server goes down, Heimdal currently returns 'user does not exist' messages to the client, which then doesn't try any other possible KDCs. However, if Heimdal is to update the LDAP backend with logon counts, bad password lockout and the rest, it will have to handle referrals and ldaps etc. Use of transport-layer authentication (SASL EXTERNAL) might avoid some of the issues with password storage. (Samba uses secrets.tdb). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Samba Developer, SuSE Labs, Novell Inc. http://suse.de Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
This is a digitally signed message part