(apologies for those on netman, this should have gone to wireless-lan
originally)
Hi All,
A while back there was some discussion about the current krb5 module in
FreeRADIUS being single threaded, and that it may no longer be necessary for it
to be single threaded.
It transpires that both MIT and Heimdal libraries are now thread safe, MIT
since either 1.4.x or 1.4.4 (unsure) and Heimdal since around 0.7
(documentation is fuzzy).
I can't test beyond compiling the code against the kerberos library, and maybe
setting up a test KDC/TGS. But for this to be put into the stable branch it
really needs to be tested under load, against a range of keberos
implementations.
Were looking for volunteers, preferably a mix of deployments using either MIT
or Heimdal. The new module should just drop in for any v2.1.x deployment once
compiled, as it doesn't use any new core API functions.
Change list:
* Both - Check that krb5 library was compiled with threading support on
startup.
* Both - Clone context on each request to ensure thread safety.
* Both - Move service principal parsing so it's done at intialisation
only (instead of on every request).
* Both - Improved return codes, will now reflect revoked
access/password expiry (USERLOCK), Uknown client principal (NOTFOUND), as well
as bad password (REJECT), and other errors (FAIL). Before the module returned
REJECT for almost everything.
* Both - Mark module as thread safe, config check safe (will be
validated on -C), and hup safe (config will be reloaded on SIGHUP)
* Both - Switch more messages to use RDEBUG so they'll be printed in
conditional debug (useful for production servers with radmin enabled).
* MIT - Move service principal string to service principal conversion
so that it's done at initialisation only (instead of on every request).
* MIT - Move options configuration so they're done at initialisation
only (instead of on every request).
* MIT - Switch to using krb5_get_init_creds_password and
krb5_verify_init_creds to validate TGT instead of old twisty logic.
* MIT - Cache option removed as krb5_verify_init_creds disables the
replay cache on its own.
For those wanting to test:
git clone [email protected]:arr2036/freeradius-server.git
cd freeradius-server
git checkout threaded_krb5
Report issues on: http://bugs.freeradius.org, and send feedback to either the
list or me directly.
Thanks,
Arran
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
