Return-Path: Delivered-To: apmail-directory-dev-archive@www.apache.org Received: (qmail 53784 invoked from network); 30 Apr 2008 04:10:54 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 30 Apr 2008 04:10:54 -0000 Received: (qmail 86451 invoked by uid 500); 30 Apr 2008 04:10:55 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 86411 invoked by uid 500); 30 Apr 2008 04:10:55 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 86399 invoked by uid 99); 30 Apr 2008 04:10:55 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 29 Apr 2008 21:10:55 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of enriquer9@gmail.com designates 209.85.146.178 as permitted sender) Received: from [209.85.146.178] (HELO wa-out-1112.google.com) (209.85.146.178) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 30 Apr 2008 04:10:11 +0000 Received: by wa-out-1112.google.com with SMTP id n7so485183wag.5 for ; Tue, 29 Apr 2008 21:10:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=xem9aJc0buuM4hxOrcRbn/an+J4iRFGzIyBJv8m0AUY=; b=pgd0zf562t/8/dQRibdFe/BQEwLkY1f/T/c+STHwLCBDZWjjqdhx6U43zADcMac8uivLVIZLLBxJHLasediWSbb3s81GhHKMl37F0eb3Lt3lQZUoXsf+p/bk/LjA3m2f9M6tU9ZCRSYilsr1O/d5IyjbGtmnJzHQHR7mi7Ch1Bs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=AeG393rEp2W7lJbWL6R6EYTT7esM0DW1MeD8sVnCZBMSI+EYt44og5LOMnP/ZxZ+dKv0jsJYh36lCy9cV15T2CG7F7m6Vdn6Mk9yWPOE3rI2m0JGeT3PrK3BJhlSF3L4b4g0dT1nxt7mxmtuhITU5Dye6Cs1XDdkISXArrb7a7w= Received: by 10.114.127.1 with SMTP id z1mr239723wac.26.1209528625792; Tue, 29 Apr 2008 21:10:25 -0700 (PDT) Received: by 10.114.157.11 with HTTP; Tue, 29 Apr 2008 21:10:25 -0700 (PDT) Message-ID: <568753d90804292110q716323bfi1f2c0d8292266d5e@mail.gmail.com> Date: Tue, 29 Apr 2008 21:10:25 -0700 From: "Enrique Rodriguez" Reply-To: erodriguez@apache.org To: "Apache Directory Developers List" Subject: Re: [Kerberos Client] Works on Active Directory, question about connection pooling In-Reply-To: <800df6390804242140w537d98e3w50e535336752b607@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <800df6390804242140w537d98e3w50e535336752b607@mail.gmail.com> X-Virus-Checked: Checked by ClamAV on apache.org On Thu, Apr 24, 2008 at 9:40 PM, Marc Boorshtein wrote: > ApacheDSers, > > I just wanted to drop you guys a line to let you know that the > kerberos-client code works well with Active Directory (at least for a TGT, I > haven't tried a SGT) with one caveat. The user principal name in ad has the > domain as lowercase (ie mlb@test.mydomain.com) but in order for the > kerberos-client code to work the domain needs to be upper case (ie > mlb@TEST.MYDOMAIN.COM). I don't know if this is because of the internal > code or AD. Glad to hear it. Which version of AD? Are you by any chance testing against 2008? I'll have to look into what the reasons are for the case issue. > ... > A question about the internals of the kerberos-client, does it make sense to > pool the connection objects? does it maintain an open connection or does it > open a new connection for each ticket? IIRC, the client is fully blocking and doesn't pool connections; a new connection is created each time. The intention was to use it for integration tests in JUnit, so there's nothing fancy w.r.t. scalibility or asynchronous support. Kerberos is a request-response (stateless) protocol and originally ran only over UDP (still the default) so at a protocol-level there's no point to reusing a connection. I haven't tested whether there is any benefit to reusing a TCP connection. Enrique