Issues with sasl under heavy load, configuration issue?

Howard Chu hyc at highlandsun.com
Mon Apr 7 18:36:55 EDT 2008


Roberto C. Sánchez wrote:
> On Mon, Apr 07, 2008 at 02:42:04PM -0700, Howard Chu wrote:
>> Best advice - use Heimdal Kerberos. MIT Kerberos code quality is poor, and
>> thread safety is still unproven.
>
> Care to cite some real examples?
>
> Here are some that cast into doubt your assertion about poor code
> quality:
>
> http://article.gmane.org/gmane.comp.encryption.kerberos.general/12042
> http://article.gmane.org/gmane.comp.encryption.kerberos.general/12044
> http://article.gmane.org/gmane.comp.encryption.kerberos.general/12069

I suppose I should have been more specific, but none of those cases are 
relevant, since they are talking about the KDC, and the problem with thread 
safety is in the client libraries.

Go ahead and google for "kerberos thread safety" and you'll see a long history 
of problems, a bit of discussion about how to solve it spanning 2000-2003, and 
not much actual work on solutions until very recently e.g.
http://www.openldap.org/lists/openldap-technical/200802/msg00118.html

I stand by my assertion that their thread safety is still unproven. They have 
pretty much zero practical experience tackling the problem, while Heimdal has 
been working smoothly for several years.
-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/


More information about the Cyrus-sasl mailing list