[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comments on LDAP support in heimdal
Andrew Bartlett wrote:
> On Mon, 2005-10-31 at 09:36 +0500, Ilia Chipitsine wrote:
>> ldaps also is good idea :-)
> The main issue with moving off-host is that heimdal is single-threaded,
> and would need to cache connections and handle disconnects much better.
> Samba has a lot of experience in this area, and we found it is actually
> a lot of work.
> While it is rarely a problem in the single-host setup, if your remote
> ldap server goes down, Heimdal currently returns 'user does not exist'
> messages to the client, which then doesn't try any other possible KDCs.
In this respect I suggest leaving Heimdal using ldapi exclusively. If
you want to access a remote LDAP server, then run a slapd with back-ldap
to cross that gap. It already does connection caching and retries. Maybe
one day when we get the time to redesign the LDAP API we'll make it
simple enough for any application to get these features, but for now it
makes sense to conserve effort and just leave this issue to slapd where
it has already been solved.
Of course, it's probably still a good idea to use a temporary failure
code for those LDAP_UNAVAILABLE or LDAP_SERVER_DOWN cases.
> However, if Heimdal is to update the LDAP backend with logon counts, bad
> password lockout and the rest, it will have to handle referrals and
> ldaps etc. Use of transport-layer authentication (SASL EXTERNAL) might
> avoid some of the issues with password storage. (Samba uses
While I do prefer the use of SASL EXTERNAL, the fact is that the issue
of secret storage remains the same - a cert's private key must still be
available after all.
But I question the need to talk to a remote LDAP server in the first
place. How many KDCs do you usually deploy in a network? I think the
right answer in any given domain/realm is One, plus a backup. When you
have geographically diverse users, you usually split the realm and
create a local KDC for that purpose... As a general rule, you don't want
to have to look Very Far Away to get an answer to an authentication
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/