GSSAPI contexts used in multiple threads

Simon Wilkinson simon at
Tue Mar 4 14:24:18 EST 2008

On 4 Mar 2008, at 19:13, Russ Allbery wrote:

> Sam Hartman <hartmans at> writes:
>>>>>>> "Russ" == Russ Allbery <rra at> writes:
>>     Russ> The answer from Howard is that OpenLDAP treats the  
>> stream as
>>     Russ> full duplex.  His message explaining more details is at:
>> I'd kind of expect that to work today based on my knowledge of the  
>> code.
> It's quite possible that it does and that I'd just misunderstood the
> guarantees.  OpenLDAP had trouble in the past but I think it was  
> stable
> (if slow due to the replay cache) under load with a recent MIT  
> Kerberos,
> but threading bugs can be hard to find even under heavy load.

We run OpenLDAP with MIT Kerberos (largely because we didn't want the  
cost of supporting two different Kerberos implementations).

Initially, we ran into thread safety issues. I implemented patches  
for Cyrus SASL which locked around calls into the GSSAPI library. We  
ran with these until we eventually upgraded to a MIT release with  
thread safety guarantees, since then we've been running against this  
code without additional locking, and we haven't seen any issues that  
we can trace to the Kerberos code.


More information about the krbdev mailing list