Issues with sasl under heavy load, configuration issue?

Howard Chu hyc at highlandsun.com
Mon Apr 7 18:40:37 EDT 2008


Carson Gaspar wrote:
> Carson Gaspar wrote:
>> Howard Chu wrote:
>>> Paul Hasenohr wrote:
>>>
>>>> I am running Debian Etch with current Debian packages:
>>>>      * slapd 2.3.30-5
>>>>      * sasl2-bin 2.1.22.dfsg1-8
>>>>      * libsasl2-2 2.1.22.dfsg1-8
>>>>      * krb5-kdc 1.4.4-7etch5
>>>>
>>>> Could anyone please tell me if this behaviour is to be expected or how
>>>> this could be improved?
>>> Best advice - use Heimdal Kerberos. MIT Kerberos code quality is poor,
>>> and thread safety is still unproven.
>> And the sky is blue, and that has NOTHING to do with the problem.
>>
>> The problem is _exactly_ what the log says it is. The client is sending
>> multiple identical auth requests, which the KDC is (properly) rejecting
>> as a replay attack. Google shows many hits for a similar bug in
>> mod_auth_kerb.
>
> I tracked down what may be the mod_auth_kerb fix, if anyone cares to
> look at it:
>
> http://modauthkerb.cvs.sourceforge.net/modauthkerb/mod_auth_kerb/src/mod_auth_kerb.c?r1=1.75&r2=1.76&view=patch

Replacing one piece of poorly implemented code (replay cache) with another 
hack to disable it. Great idea. Better idea - replace more of it. In fact, 
replace all of it.
-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/


More information about the Cyrus-sasl mailing list