[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openldap-software
Subject:    Re: Openldap and MIT krb5-1.4
From:       Quanah Gibson-Mount <quanah () stanford ! edu>
Date:       2005-01-31 18:14:58
Message-ID: 7F610BFCBB2A7D59240A0106 () cadabra-dsl ! stanford ! edu
[Download RAW message or body]



--On Monday, January 31, 2005 10:14 AM -0200 Andreas Hasenack 
<andreas@conectiva.com.br> wrote:

> On Sat, Jan 29, 2005 at 05:46:50PM -0800, Quanah Gibson-Mount wrote:
>> tested.  And unless you disable the replay cache, you'll run into some
>> nasty issues that they don't plan on fixing.
>
> Isn't the replay cache a "good thing" to have? regarding Kerberos
> security?

On the kerberos servers, yes.  If you have a server dedicated to LDAP, no. 
Especially not if it is a high-volume server.  The current K5 replay cache 
uses the timestamp of an incoming request in the replay cache, and it is 
entirely possible to have multiple requests come in at the same time.  This 
has some nasty consequences (dropped connections), and won't be fixed for 
the time being.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

"These censorship operations against schools and libraries are stronger
than ever in the present religio-political climate. They often focus on
fantasy and sf books, which foster that deadly enemy to bigotry and blind
faith, the imagination." -- Ursula K. Le Guin

[prev in list] [next in list] [prev in thread] [next in thread]