On Thu, Apr 24, 2008 at 9:40 PM, Marc Boorshtein <[EMAIL PROTECTED]> wrote: > ApacheDSers, > > I just wanted to drop you guys a line to let you know that the > kerberos-client code works well with Active Directory (at least for a TGT, I > haven't tried a SGT) with one caveat. The user principal name in ad has the > domain as lowercase (ie [EMAIL PROTECTED]) but in order for the > kerberos-client code to work the domain needs to be upper case (ie > [EMAIL PROTECTED]). I don't know if this is because of the internal > code or AD.
Glad to hear it. Which version of AD? Are you by any chance testing against 2008? I'll have to look into what the reasons are for the case issue. > ... > A question about the internals of the kerberos-client, does it make sense to > pool the connection objects? does it maintain an open connection or does it > open a new connection for each ticket? IIRC, the client is fully blocking and doesn't pool connections; a new connection is created each time. The intention was to use it for integration tests in JUnit, so there's nothing fancy w.r.t. scalibility or asynchronous support. Kerberos is a request-response (stateless) protocol and originally ran only over UDP (still the default) so at a protocol-level there's no point to reusing a connection. I haven't tested whether there is any benefit to reusing a TCP connection. Enrique
