[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on LDAP support in heimdal

> On Mon, 2005-10-31 at 09:36 +0500, Ilia Chipitsine wrote:
>> ldaps also is good idea :-)
> The main issue with moving off-host is that heimdal is single-threaded,
> and would need to cache connections and handle disconnects much better.
> Samba has a lot of experience in this area, and we found it is actually
> a lot of work.

I meant ldap+ssl, not just "multiple ldap servers"

> While it is rarely a problem in the single-host setup, if your remote
> ldap server goes down, Heimdal currently returns 'user does not exist'
> messages to the client, which then doesn't try any other possible KDCs.
> However, if Heimdal is to update the LDAP backend with logon counts, bad
> password lockout and the rest, it will have to handle referrals and
> ldaps etc.  Use of transport-layer authentication (SASL EXTERNAL) might
> avoid some of the issues with password storage.  (Samba uses
> secrets.tdb).
> Andrew Bartlett
> -- 
> Andrew Bartlett                                http://samba.org/~abartlet/
> Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
> Authentication Developer, Samba Team           http://samba.org
> Student Network Administrator, Hawker College  http://hawkerc.net