Russ Allbery <rra(a)stanford.edu> writes:
That's a really good question and I don't know the answer to
that. I
can imagine reasons why it would be both ways. This might be a good
question to ask on kerberos(a)mit.edu, and I may go do that for my own
curiosity.
Ken Raeburn says:
| We currently assume that a security context is used in only one thread
| at a time, so you could switch between threads, just not use it
| simultaneously in multiple threads. But the person looking into it
| earlier concluded that there may not be anything besides the sequence
| number that's actually subject to race conditions there (and that
| window's probably small enough that it might "work fine in practice"
| much of the time, but no promises), so we could look into extending the
| concurrency for this case, and just do some internal locking around the
| sequence number accesses.
So indeed, don't use MIT Kerberos with OpenLDAP for right now until that
additional locking is in place. Once it is, it should be safe.
--
Russ Allbery (rra(a)stanford.edu) <
http://www.eyrie.org/~eagle/>