--On Thursday, November 09, 2006 9:48 AM -0800 Donn Cave donn@u.washington.edu wrote:
On the other hand, we use MIT Kerberos with slapd. I have observed reduced authentication speed, compared to SSL, but as I understand it that comes from replay cache functionality in the MIT server that serves an arguably desirable purpose. With current Cyrus SASL, I don't see any serious problem with MIT Kerberos, but if you're expecting an extremely heavy load of GSSAPI authentication and are willing to dispense with the replay cache checks, your perspective might be different.
Funny, because the MIT developers always tell me to turn off the replay cache first thing, when using the MIT libraries, as it is something they seem to feel should *not* be used with OpenLDAP.
Set KRB5RCACHETYPE to "none".
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html