krb5_sname_to_principal or LDAP/SASL/GSSAPI and reverse DNS
Nicolas Williams
Nicolas.Williams at sun.com
Thu Apr 10 17:53:02 EDT 2003
On Thu, Apr 10, 2003 at 03:52:35PM -0500, Steve Langasek wrote:
> On Wed, Apr 09, 2003 at 11:29:23AM -0700, Nicolas Williams wrote:
> > On Wed, Apr 09, 2003 at 01:55:58PM -0400, Sam Hartman wrote:
> > > I don't want a global shared filesystem just because I have a shared
> > > LDAP cluster.
>
> > > I understand the clusters you deal with tend to be physically located
> > > in the same space and tend to share disks or at least filesystem.
>
> > > That is not the only type of cluster that exists.
>
> > Er, why do you cluster LDAP services?
>
> Because round-robin balancing at the application level is conspicuously
> absent where LDAP is concerned, so clustering at the DNS level is often
> the best option?
One [quasi-]word: yuk.
I don't believe that this sort of load balancing belongs in
krb5_sname_to_principal(). Not remotely.
Especially if having such functionality conflicts with efforts to secure
the principal name canonicalization (or, rather, with the efforts to get
rid of princ canon without giving up on its utility).
Cheers,
Nico
--
More information about the krbdev
mailing list