directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Enrique Rodriguez" <enriqu...@gmail.com>
Subject Re: [Kerberos Client] Works on Active Directory, question about connection pooling
Date Wed, 30 Apr 2008 04:10:25 GMT
On Thu, Apr 24, 2008 at 9:40 PM, Marc Boorshtein <mboorshtein@gmail.com> wrote:
> ApacheDSers,
>
> I just wanted to drop you guys a line to let you know that the
> kerberos-client code works well with Active Directory (at least for a TGT, I
> haven't tried a SGT) with one caveat.  The user principal name in ad has the
> domain as lowercase (ie mlb@test.mydomain.com) but in order for the
> kerberos-client code to work the domain needs to be upper case (ie
> mlb@TEST.MYDOMAIN.COM).  I don't know if this is because of the internal
> code or AD.

Glad to hear it.  Which version of AD?  Are you by any chance testing
against 2008?  I'll have to look into what the reasons are for the
case issue.

> ...
> A question about the internals of the kerberos-client, does it make sense to
> pool the connection objects?  does it maintain an open connection or does it
> open a new connection for each ticket?

IIRC, the client is fully blocking and doesn't pool connections; a new
connection is created each time.  The intention was to use it for
integration tests in JUnit, so there's nothing fancy w.r.t.
scalibility or asynchronous support.  Kerberos is a request-response
(stateless) protocol and originally ran only over UDP (still the
default) so at a protocol-level there's no point to reusing a
connection.  I haven't tested whether there is any benefit to reusing
a TCP connection.

Enrique

Mime
View raw message