[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on LDAP support in heimdal

Andrew Bartlett wrote:
> On Mon, 2005-10-31 at 09:36 +0500, Ilia Chipitsine wrote:
>> ldaps also is good idea :-)
> The main issue with moving off-host is that heimdal is single-threaded,
> and would need to cache connections and handle disconnects much better.
> Samba has a lot of experience in this area, and we found it is actually
> a lot of work.
> While it is rarely a problem in the single-host setup, if your remote
> ldap server goes down, Heimdal currently returns 'user does not exist'
> messages to the client, which then doesn't try any other possible KDCs.

In this respect I suggest leaving Heimdal using ldapi exclusively. If 
you want to access a remote LDAP server, then run a slapd with back-ldap 
to cross that gap. It already does connection caching and retries. Maybe 
one day when we get the time to redesign the LDAP API we'll make it 
simple enough for any application to get these features, but for now it 
makes sense to conserve effort and just leave this issue to slapd where 
it has already been solved.

Of course, it's probably still a good idea to use a temporary failure 
code for those LDAP_UNAVAILABLE or LDAP_SERVER_DOWN cases.

> However, if Heimdal is to update the LDAP backend with logon counts, bad
> password lockout and the rest, it will have to handle referrals and
> ldaps etc.  Use of transport-layer authentication (SASL EXTERNAL) might
> avoid some of the issues with password storage.  (Samba uses
> secrets.tdb).

While I do prefer the use of SASL EXTERNAL, the fact is that the issue 
of secret storage remains the same - a cert's private key must still be 
available after all.

But I question the need to talk to a remote LDAP server in the first 
place. How many KDCs do you usually deploy in a network? I think the 
right answer in any given domain/realm is One, plus a backup. When you 
have geographically diverse users, you usually split the realm and 
create a local KDC for that purpose... As a general rule, you don't want 
to have to look Very Far Away to get an answer to an authentication 

   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc
   OpenLDAP Core Team            http://www.openldap.org/project/