--On Tuesday, April 15, 2008 5:02 PM +0100 Dominic Hargreaves dominic.hargreaves@oucs.ox.ac.uk wrote:
Is anything likely to change in this regard? Having looked into the issue it does seem that fixing this with MIT kerberos would require (at a minimum) changing the SASL library, and any such change would be a hack, since it doesn't look to the untrained eye like SASL provides a mechanism for getting information about connection lifetimes.
The advice against using MIT Kerberos was more related to thread safety issues than the credential expriation problem. I think the OpenLDAP list is the wrong place to ask what will happen with MIT Kerberos to fix problematic issues related to thread safety. I.e., the problems referenced are not on the OpenLDAP side of things. As for the credential expiration issue, as far as I'm aware, the MIT folks have no desire to change how things behave now. If you don't want to deal with the problem, use a cyrus-sasl linked against Heimdal instead of MIT on your OpenLDAP servers.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration