[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on LDAP support in heimdal

On Mon, 2005-10-31 at 09:36 +0500, Ilia Chipitsine wrote:
> ldaps also is good idea :-)

The main issue with moving off-host is that heimdal is single-threaded,
and would need to cache connections and handle disconnects much better.
Samba has a lot of experience in this area, and we found it is actually
a lot of work.

While it is rarely a problem in the single-host setup, if your remote
ldap server goes down, Heimdal currently returns 'user does not exist'
messages to the client, which then doesn't try any other possible KDCs.

However, if Heimdal is to update the LDAP backend with logon counts, bad
password lockout and the rest, it will have to handle referrals and
ldaps etc.  Use of transport-layer authentication (SASL EXTERNAL) might
avoid some of the issues with password storage.  (Samba uses

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

This is a digitally signed message part