More pynslcd issues
[Date Prev][Date Next] [Thread Prev][Thread Next]More pynslcd issues
- From: Jon Severinsson <jon [at] severinsson.net>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: More pynslcd issues
- Date: Fri, 7 Sep 2012 16:59:46 +0200
Hi Arthur (and everyone else on the list)
I've had some more time to look into pynslcd and found a couple of new issues.
First a simple one. There seems to be some applications using getpwnam("*")
rather than getpwent(), to get all nss users. pynslcd will choke on this
because "*" is not a valid username. Attached is nss-pam-ldapd-by-name.patch
wich adds support for this (mis)usage to the passwd, group and shadow tables.
Secondly, I'm having some problems with the timeouts...
First of, from what I can tell, libldap originally used LDAP_OPT_TIMELIMIT set
in seconds for all timeouts. In later libldap versions it has been deprecated
in favour of LDAP_OPT_NETWORK_TIMEOUT and LDAP_OPT_TIMEOUT, both set using
struct timeval.
The C implementation of nslcd oddly sets the deprecated LDAP_OPT_TIMELIMIT to
the "timelimit" setting from the configuration file (defaulting to forever) but
setting both replacement variables to the "bind_timelimit" setting (defaulting
to 10s) if libldap is new enough to support the new options.
The python implementation, however, sets all three options to the "timelimit"
setting (defaulting to forever), which makes pynslcd hang forever if the
connection to the ldap server goes down. If I set "timelimit" to a lower value
pynslcd will instead bork reporting an unhandled ldap.TIMEOUT exception.
Attached is a work in progress patch (nss-pam-ldapd-timelimit.patch) that
makes both the C and python implementations use "timelimit" for both
LDAP_OPT_TIMELIMIT and LDAP_OPT_TIMEOUT, but "bind_timelimit" for
LDAP_OPT_NETWORK_TIMEOUT, and changeing the default of "timelimit" to 10s
(like bind_timelimit) in both implementations. It also adds handling of the
ldap.TIMEOUT exception to pynslcd, doing the same as for ldap.SERVER_DOWN).
Please test it and see if you can improve on it.
Best Regards
Jon Severinsson
Attachment:
nss-pam-ldapd-by-name.patch
Description: Text Data
Attachment:
nss-pam-ldapd-timelimit.patch
Description: Text Data
-- To unsubscribe send an email to nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see http://lists.arthurdejong.org/nss-pam-ldapd-users/
- pynslcd problems,
Jon Severinsson
- Re: pynslcd problems,
Arthur de Jong
- Re: pynslcd problems,
Jon Severinsson
- Re: pynslcd problems,
Arthur de Jong
- More pynslcd issues, Jon Severinsson
- Re: pynslcd problems,
Arthur de Jong
- Re: pynslcd problems,
Jon Severinsson
- Re: pynslcd problems,
Arthur de Jong
- Prev by Date: Re: Fine grained access control
- Next by Date: filter search limit
- Previous by thread: Re: pynslcd problems
- Next by thread: Could you let me know if nested groups are now supported?