GSSAPI contexts used in multiple threads
Simon Wilkinson
simon at sxw.org.uk
Tue Mar 4 14:24:18 EST 2008
On 4 Mar 2008, at 19:13, Russ Allbery wrote:
> Sam Hartman <hartmans at mit.edu> writes:
>
>>>>>>> "Russ" == Russ Allbery <rra at stanford.edu> writes:
>>
>> Russ> The answer from Howard is that OpenLDAP treats the
>> stream as
>> Russ> full duplex. His message explaining more details is at:
>>
>> I'd kind of expect that to work today based on my knowledge of the
>> code.
>
> It's quite possible that it does and that I'd just misunderstood the
> guarantees. OpenLDAP had trouble in the past but I think it was
> stable
> (if slow due to the replay cache) under load with a recent MIT
> Kerberos,
> but threading bugs can be hard to find even under heavy load.
We run OpenLDAP with MIT Kerberos (largely because we didn't want the
cost of supporting two different Kerberos implementations).
Initially, we ran into thread safety issues. I implemented patches
for Cyrus SASL which locked around calls into the GSSAPI library. We
ran with these until we eventually upgraded to a MIT release with
thread safety guarantees, since then we've been running against this
code without additional locking, and we haven't seen any issues that
we can trace to the Kerberos code.
Simon.
More information about the krbdev
mailing list