[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comments on LDAP support in heimdal
> On Mon, 2005-10-31 at 09:36 +0500, Ilia Chipitsine wrote:
>> ldaps also is good idea :-)
>
> The main issue with moving off-host is that heimdal is single-threaded,
> and would need to cache connections and handle disconnects much better.
> Samba has a lot of experience in this area, and we found it is actually
> a lot of work.
I meant ldap+ssl, not just "multiple ldap servers"
>
> While it is rarely a problem in the single-host setup, if your remote
> ldap server goes down, Heimdal currently returns 'user does not exist'
> messages to the client, which then doesn't try any other possible KDCs.
>
> However, if Heimdal is to update the LDAP backend with logon counts, bad
> password lockout and the rest, it will have to handle referrals and
> ldaps etc. Use of transport-layer authentication (SASL EXTERNAL) might
> avoid some of the issues with password storage. (Samba uses
> secrets.tdb).
>
> Andrew Bartlett
>
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Samba Developer, SuSE Labs, Novell Inc. http://suse.de
> Authentication Developer, Samba Team http://samba.org
> Student Network Administrator, Hawker College http://hawkerc.net
>