--dTy3Mrz/UPE2dbVg Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Jul 09, 2002 at 05:50:01PM +0100, Phil Mayers wrote: > Then, in /etc/pam.d/ldap: > #%PAM-1.0 > auth required /lib/security/pam_krb5.so no_user_check > session required /lib/security/pam_permit.so > This works - password checks are successfully passed off against our > Kerberos realm. > However, it appears to fail under load, possibly due to threading issues > (a "ps faux" and "gdb /usr/local/libexec/slapd; attach PID; thread apply > all bt" are attached) > Thread 7 (line 219 of attached file) appears to be blocked inside the > SASL library, loading the PAM library. I see three possibilities: > 1) SASL isn't thread-safe, and OpenLDAP should be appropriately > protecting this bit of code, and isn't > 2) PAM isn't thread-safe, and SASL should be locking > 3) The pam_krb5 (or kerberos) libraries aren't thread safe When in doubt, choose 'c'. The MIT Kerberos libraries are known to not be thread safe, therefore pam_krb5 implementations should provide locks around the Kerberos calls. I'm guessing there aren't many (if any) pam_krb5 implementations doing this, though. Steve Langasek postmodern programmer --dTy3Mrz/UPE2dbVg Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9Ky+5KN6ufymYLloRAvC7AJ0dCo9zpRyJKskj6t2PxJsKnOkOwgCdFWc1 xTrNS7d7xcD4FLaZK1TQrac= =wxzw -----END PGP SIGNATURE----- --dTy3Mrz/UPE2dbVg--
