One last thing just popped in my head. You might want to
run a packet sniffer (I use ethereal) while testing your
code. Your situation sounds similar to one I encountered
a couple of months ago, and I have a hunch your code is
automatically rebinding to "referred" LDAP servers without
encrypting
SASL and the GSS-API are not easy to use. They seem
overly complicated to me, and the documentation is
confusing. I could only get them working by looking
at sample code. I first looked at some Samba code,
but decided not to go that route. Openldap
distributes a sample LDAP program which demons
Frank Cusack wrote:
> On Tue, 23 Aug 2005 14:36:02 + [EMAIL PROTECTED] wrote:
> > Yeah, I wasn't sure what the standard practice is, and whether
> > it was necessary to keep calling res_ninit() multiple times per
> > context. I suggested that route because it is more conservative.
> > It keep
Yeah, I wasn't sure what the standard practice is, and whether
it was necessary to keep calling res_ninit() multiple times per
context. I suggested that route because it is more conservative.
It keeps all the functionality the same, while reducing the leak.
Res_ninit() is supposed to read the
Ken Raeburn wrote:
> We've run into other cases where a krb5_context is needed but other
> APIs make it difficult for one to be made available. So there's code
> out there that allocates many short-lived krb5_context structures,
> often without using them for actual network stuff.
OK, thinking
>At no point was there any assumption that the program I
>provided was efficient. It was a proof of concept program to show how
>to exploit the memory leak. I agree that placing the res_state
>variable into the krb5_context is a good solution, and that creating
>multiple contexts in the same thread
Tom, OK. If you feel this solution is acceptable, I'll write some
code to minimize this leak as describe in my second message. (Use
exactly one res_state structure for each krb5_context, but still
call res_ninit() right before the lookup. Res_ninit() will then
deallocate the res_state before rea
I looked at the Heimdal source, and apparently it has this
issue too. Didn't run any tests to verify this though.
I looked at BIND, and indeed res_ndestroy() is defined in
the resolv.h header file, but not exported. However, while
perusing the source, I noticed if res_ninit() is called
more than
ich BTW has created alot more work for me. I could
possibly submit a patch though.
Thanks.
Brian Joh
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Right, but there are also interfaces that are intended for public use
that can
only be found by looking at the source. For instance, when I looked at
the
source to some of the Kerberos applications in the standard
distribution, I
found no one uses krb5_get_in_tkt() or any of its variants anymore.
I recently learned how to program MIT Kerberos with no
previous knowledge of anything Kerberos related.
If you haven't already, you should first understand
how to use Kerberos and also understand the protocol
at a high level. Google for the "The Moron's Guide to
Kerberos" and play with kinit, kde
We're not using kinit. We're basically writing our own progams
built on the Kerberos libraries. However, I've looked at the source
code to kinit when I was learning how to use the MIT libraries, and
it would not be hard to modify.
Kerberos mailing
Tunneling sounds like the best option.
We have over 500 Windows 2000 and Windows 2003 domain
controllers (KDCs in Active Directory), that we don't want to have
to modify or install new software on. These domain controllers
(KDCs) do have SSL properly configured, so I suppose, we could
tunnel the
Hi,
In my company, we're pitching a Kerberos-based solution to authenticate tens of
thousands of Linux users to Active Directory. To increase the likelihood of
approval by the higher-ups, we really need to eliminate all perceived security
holes.
Although preauthentication helps some, Kerber
Hi,
In my company, we're pitching a Kerberos-based solution to authenticate tens of
thousands of Linux users to Active Directory. To increase the likelihood of
approval by the higher-ups, we really need to eliminate all perceived security
holes.
Although preauthentication helps some, Kerber
15 matches
Mail list logo