Thread-safe libraries

[Sam Hartman]

>>>>> "Lukas" == Lukas Kubin <kubin at opf.slu.cz> writes:

    Lukas> Sam Hartman wrote:
    >>>>>>> "Lukas" == Lukas Kubin <kubin at opf.slu.cz> writes:
    Lukas> How complicated is it to move to Heimdal from MIT?  I need
    Lukas> a solution to enable users' authentication to LDAP in our
    Lukas> network which uses MIT Kerberos 5. What do you use?
    >> On a Debian system using the native LDAP, install
    >> libsasl2-modules-gssapi-heimdal not libsasl2-gssapi-mit.  That
    >> should be all you need.  You can continue using MIT for
    >> everything else.

    Lukas> Thank you, that's what I was looking for! I wouldn't expect
    Lukas> it is suitable to use heimdal libraries wit MIT K5.

No, but I've spent a fair bit of time working with the Debian Heimdal
maintainer (I maintain MIT Kerberos for Debian) to make sure you can
install both libraries on the same system.

Each application chooses which version of Kerberos it wants.

We should soon be at a point where different parts of the same
application can use different Kerberos implementations.


    >> If I'm misremembering that you are using Debian, then you just
    >> need to build libsasl against LDAP.

    >> If you are also using PAM, you might want libpam-heimdal not
    >> libpam-krb5.

    Lukas> Why. Is it related to the threading support too?

Re phrasing: If you use PAM inside your LDAP server you may want
Heimdal PAM modules for two reasons.  First, it currently doesn't work
so well if part of an application uses Heimdal and another part uses
MIT.  So if the SASL plugin for the LDAP server is going to use
Heimdal then anything else within LDAP that uses Kerberos should also
use Heimdal.

Secondly, you'll run into the threading issue possibly if you use PAM
to resolve simple binds.