kdc ldap referral handling broken

Greg Hudson ghudson at MIT.EDU
Tue Mar 20 12:23:52 EDT 2012


On 03/18/2012 09:11 PM, Paul B. Henson wrote:
> So if any dev had a minute to take a look at the proposed design and
> comment on whether they'd be likely to accept a patch implementing it
> we'd appreciate it.

I've had a chance to discuss this in a team meeting, and the best answer
I can give is that we have some reservations about how useful and how
risky this would be.

1. Slave KDCs would be attempting to write to the master with some
frequency (every successful preauthenticated AS request if
disable_last_success isn't turned on, and every failed preauthenticated
AS request if disable_lockout isn't set).  If the master KDC host goes
down, the slave KDCs would probably become useless due to timeouts
attempting to contact the master.

2. Given the relatively high frequency of referrals to the master, there
would be a strong temptation to keep the referred connections open to
avoid constantly reconnecting and rebinding.  This would raise the risk
of coding error causing those cached connections to be used for the
wrong operations.

Architecturally, it seems superior to arrange for the attributes written
to by a KDC to be non-replicated.  Unfortunately, I can't find any
evidence that OpenLDAP supports this.


More information about the Kerberos mailing list