Issues with sasl under heavy load, configuration issue?

Paul Hasenohr paul.hasenohr at jrc.it
Tue Apr 8 12:41:19 EDT 2008


Thanks to all of you for your answers. For the time being, switching 
from MIT to Heimdal is not an option for me... too many servers and 
clients to reconfigure and no time for that.
I simply store the password of the proxy user account used for binding 
to LDAP directly in LDAP (as a SHA hash). I know it is just a workaround 
but it is  a lot faster than changing of Kerberos implementation.

Regards,
Paul Hasenohr

Howard Chu wrote:
> Carson Gaspar wrote:
>> Carson Gaspar wrote:
>>> Howard Chu wrote:
>>>> Paul Hasenohr wrote:
>>>>
>>>>> I am running Debian Etch with current Debian packages:
>>>>>      * slapd 2.3.30-5
>>>>>      * sasl2-bin 2.1.22.dfsg1-8
>>>>>      * libsasl2-2 2.1.22.dfsg1-8
>>>>>      * krb5-kdc 1.4.4-7etch5
>>>>>
>>>>> Could anyone please tell me if this behaviour is to be expected or how
>>>>> this could be improved?
>>>> Best advice - use Heimdal Kerberos. MIT Kerberos code quality is poor,
>>>> and thread safety is still unproven.
>>> And the sky is blue, and that has NOTHING to do with the problem.
>>>
>>> The problem is _exactly_ what the log says it is. The client is sending
>>> multiple identical auth requests, which the KDC is (properly) rejecting
>>> as a replay attack. Google shows many hits for a similar bug in
>>> mod_auth_kerb.
>>
>> I tracked down what may be the mod_auth_kerb fix, if anyone cares to
>> look at it:
>>
>> http://modauthkerb.cvs.sourceforge.net/modauthkerb/mod_auth_kerb/src/mod_auth_kerb.c?r1=1.75&r2=1.76&view=patch 
>>
> 
> Replacing one piece of poorly implemented code (replay cache) with 
> another hack to disable it. Great idea. Better idea - replace more of 
> it. In fact, replace all of it.

-- 
Paul HASENOHR
Community Image Data portal project
European Commission - Joint Research Centre
TP 266
Via Fermi 2149
21027 ISPRA (VA), ITALY
Tel: +39 0332 78 60 93 - Fax: +39 0332 78 63 69
Web site: http://mars.jrc.it


More information about the Cyrus-sasl mailing list