Issues with sasl under heavy load, configuration issue?
paul.hasenohr at jrc.it
Tue Apr 8 12:41:19 EDT 2008
Thanks to all of you for your answers. For the time being, switching
from MIT to Heimdal is not an option for me... too many servers and
clients to reconfigure and no time for that.
I simply store the password of the proxy user account used for binding
to LDAP directly in LDAP (as a SHA hash). I know it is just a workaround
but it is a lot faster than changing of Kerberos implementation.
Howard Chu wrote:
> Carson Gaspar wrote:
>> Carson Gaspar wrote:
>>> Howard Chu wrote:
>>>> Paul Hasenohr wrote:
>>>>> I am running Debian Etch with current Debian packages:
>>>>> * slapd 2.3.30-5
>>>>> * sasl2-bin 2.1.22.dfsg1-8
>>>>> * libsasl2-2 2.1.22.dfsg1-8
>>>>> * krb5-kdc 1.4.4-7etch5
>>>>> Could anyone please tell me if this behaviour is to be expected or how
>>>>> this could be improved?
>>>> Best advice - use Heimdal Kerberos. MIT Kerberos code quality is poor,
>>>> and thread safety is still unproven.
>>> And the sky is blue, and that has NOTHING to do with the problem.
>>> The problem is _exactly_ what the log says it is. The client is sending
>>> multiple identical auth requests, which the KDC is (properly) rejecting
>>> as a replay attack. Google shows many hits for a similar bug in
>> I tracked down what may be the mod_auth_kerb fix, if anyone cares to
>> look at it:
> Replacing one piece of poorly implemented code (replay cache) with
> another hack to disable it. Great idea. Better idea - replace more of
> it. In fact, replace all of it.
Community Image Data portal project
European Commission - Joint Research Centre
Via Fermi 2149
21027 ISPRA (VA), ITALY
Tel: +39 0332 78 60 93 - Fax: +39 0332 78 63 69
Web site: http://mars.jrc.it
More information about the Cyrus-sasl