You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by Marc Boorshtein <mb...@gmail.com> on 2008/04/25 06:40:46 UTC

[Kerberos Client] Works on Active Directory, question about connection pooling

ApacheDSers,

I just wanted to drop you guys a line to let you know that the
kerberos-client code works well with Active Directory (at least for a TGT, I
haven't tried a SGT) with one caveat.  The user principal name in ad has the
domain as lowercase (ie mlb@test.mydomain.com) but in order for the
kerberos-client code to work the domain needs to be upper case (ie
mlb@TEST.MYDOMAIN.COM).  I don't know if this is because of the internal
code or AD.

A question about the internals of the kerberos-client, does it make sense to
pool the connection objects?  does it maintain an open connection or does it
open a new connection for each ticket?

Thanks
Marc

Re: [Kerberos Client] Works on Active Directory, question about connection pooling

Posted by Marc Boorshtein <mb...@gmail.com>.

>
> Glad to hear it.  Which version of AD?  Are you by any chance testing
> against 2008?  I'll have to look into what the reasons are for the
> case issue.
>

AD 2003, haven't tried anything on 2008 yet


> IIRC, the client is fully blocking and doesn't pool connections; a new
> connection is created each time.  The intention was to use it for
> integration tests in JUnit, so there's nothing fancy w.r.t.
> scalibility or asynchronous support.  Kerberos is a request-response
> (stateless) protocol and originally ran only over UDP (still the
> default) so at a protocol-level there's no point to reusing a
> connection.  I haven't tested whether there is any benefit to reusing
> a TCP connection.
>

Thanks.  For now I'm not going to worry about connection pooling.  It looks
like it supports TCP/IP, but for now I'm just going to use UDP.

Thanks again!

Marc

Re: [Kerberos Client] Works on Active Directory, question about connection pooling

Posted by Enrique Rodriguez <en...@gmail.com>.

On Thu, Apr 24, 2008 at 9:40 PM, Marc Boorshtein <mb...@gmail.com> wrote:
> ApacheDSers,
>
> I just wanted to drop you guys a line to let you know that the
> kerberos-client code works well with Active Directory (at least for a TGT, I
> haven't tried a SGT) with one caveat.  The user principal name in ad has the
> domain as lowercase (ie mlb@test.mydomain.com) but in order for the
> kerberos-client code to work the domain needs to be upper case (ie
> mlb@TEST.MYDOMAIN.COM).  I don't know if this is because of the internal
> code or AD.

Glad to hear it.  Which version of AD?  Are you by any chance testing
against 2008?  I'll have to look into what the reasons are for the
case issue.

> ...
> A question about the internals of the kerberos-client, does it make sense to
> pool the connection objects?  does it maintain an open connection or does it
> open a new connection for each ticket?

IIRC, the client is fully blocking and doesn't pool connections; a new
connection is created each time.  The intention was to use it for
integration tests in JUnit, so there's nothing fancy w.r.t.
scalibility or asynchronous support.  Kerberos is a request-response
(stateless) protocol and originally ran only over UDP (still the
default) so at a protocol-level there's no point to reusing a
connection.  I haven't tested whether there is any benefit to reusing
a TCP connection.

Enrique