Hello,
I'm in the process of deploying an OpenLDAP cluster with a (simple) syncrepl configuration, using Kerberos GSSAPI authentication between the slaves and master. In testing this has worked fine; however the original ticket expires the connection fails without the client noticing. This has already been discussed at the thread ending with
http://www.openldap.org/lists/openldap-software/200608/msg00342.html
so I'm not asking for a rehash of that. However I am puzzled by the discrepancy between the statement "As mentioned on this list numerous times, do *not* use MIT kerberos with OpenLDAP. Bad things happen. Use Heimdal Kerberos." and the advice given at
http://www.openldap.org/doc/admin24/install.html#%7B%7BTERM%5Bexpand%5DKerbe...
which suggests (or at least implies) that MIT kerberos is usable with OpenLDAP.
Is anything likely to change in this regard? Having looked into the issue it does seem that fixing this with MIT kerberos would require (at a minimum) changing the SASL library, and any such change would be a hack, since it doesn't look to the untrained eye like SASL provides a mechanism for getting information about connection lifetimes.
However, I do think it could be made clearer in the docs that MIT kerberos is not suitable for use with OpenLDAP.
[sidenote: I will be taking some of this up with the Debian cyrus-sasl2 maintainers too, as they do not seem to support Heimdal gssapi any more]
Thanks, Dominic.