>It is also worth noting, that, while Heimdal is not thread safe (at least there >are no guarantees), it has proven to be much more thread-robust than MIT. >OpenLDAP page and a couple of users have expirienced problems with MIT and >threaded OpenLDAP server, while Heimdal performed flawlessly. > >It could be that Heimdal IS thread-safe, just nobody knows for sure. :-)
I believe that many of the problems of thread-safeness in MIT Kerberos result from the lack of any file locking in the replay cache code. Heimdal solves this part of thread-safeness by not having a replay cache, at a cost to security. How much this affects security in practice is debatable; I'm not aware of any current attacks against Kerberos application servers via ticket replay, but it's certainly possible. --Ken ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
