RSS feed

More pynslcd issues

[Date Prev][Date Next] [Thread Prev][Thread Next]

More pynslcd issues

Hi Arthur (and everyone else on the list)

I've had some more time to look into pynslcd and found a couple of new issues.

First a simple one. There seems to be some applications using getpwnam("*") 
rather than getpwent(), to get all nss users. pynslcd will choke on this 
because "*" is not a valid username. Attached is nss-pam-ldapd-by-name.patch 
wich adds support for this (mis)usage to the passwd, group and shadow tables.

Secondly, I'm having some problems with the timeouts...

First of, from what I can tell, libldap originally used LDAP_OPT_TIMELIMIT set 
in seconds for all timeouts. In later libldap versions it has been deprecated 
in favour of LDAP_OPT_NETWORK_TIMEOUT and LDAP_OPT_TIMEOUT, both set using 
struct timeval.

The C implementation of nslcd oddly sets the deprecated LDAP_OPT_TIMELIMIT to 
the "timelimit" setting from the configuration file (defaulting to forever) but 
setting both replacement variables to the "bind_timelimit" setting (defaulting 
to 10s) if libldap is new enough to support the new options.

The python implementation, however, sets all three options to the "timelimit" 
setting (defaulting to forever), which makes pynslcd hang forever if the 
connection to the ldap server goes down. If I set "timelimit" to a lower value 
pynslcd will instead bork reporting an unhandled ldap.TIMEOUT exception.

Attached is a work in progress patch (nss-pam-ldapd-timelimit.patch) that 
makes both the C and python implementations use "timelimit" for both 
LDAP_OPT_TIMELIMIT and LDAP_OPT_TIMEOUT, but "bind_timelimit" for 
LDAP_OPT_NETWORK_TIMEOUT, and changeing the default of "timelimit" to 10s 
(like bind_timelimit) in both implementations. It also adds handling of the 
ldap.TIMEOUT exception to pynslcd, doing the same as for ldap.SERVER_DOWN). 
Please test it and see if you can improve on it.

Best Regards
Jon Severinsson

Attachment: nss-pam-ldapd-by-name.patch
Description: Text Data

Attachment: nss-pam-ldapd-timelimit.patch
Description: Text Data

To unsubscribe send an email to or see