GSSAPI - context lifetime

Russ Allbery rra at
Fri May 30 13:12:35 EDT 2008

Simon Wilkinson <simon at> writes:

> This issue appears from time to time on the OpenLDAP list.
> Unfortunately, Heimdal and MIT have different behaviours in this area -
> Heimdal allows gss_wrap() and unwrap() to be used within an expired
> context. The OpenLDAP code fails to handle the situation where these
> calls fail within the SASL layer, and hangs when attempting to perform
> connections with an expired context. Essentially, this means that MIT
> Kerberos cannot be used to back the GSSAPI SASL mechanism within their
> replication code, without requiring a server restart every time the GSS
> context expires.

Yeah, the problem with SASL not knowing how to reauthenticate or see
expiration of sessions is a major problem, and I agree that this makes a
completely "formally" proper treatment of session expiration hard enough
that it may not be a good idea.

Russ Allbery (rra at             <>

More information about the krbdev mailing list