Russ Allbery rra@stanford.edu writes:
That's a really good question and I don't know the answer to that. I can imagine reasons why it would be both ways. This might be a good question to ask on kerberos@mit.edu, and I may go do that for my own curiosity.
Ken Raeburn says:
| We currently assume that a security context is used in only one thread | at a time, so you could switch between threads, just not use it | simultaneously in multiple threads. But the person looking into it | earlier concluded that there may not be anything besides the sequence | number that's actually subject to race conditions there (and that | window's probably small enough that it might "work fine in practice" | much of the time, but no promises), so we could look into extending the | concurrency for this case, and just do some internal locking around the | sequence number accesses.
So indeed, don't use MIT Kerberos with OpenLDAP for right now until that additional locking is in place. Once it is, it should be safe.