RSS feed

Go implementation of nslcd

[Date Prev][Date Next] [Thread Prev][Thread Next]

Go implementation of nslcd

Well, kind of.  Only the nslcd-protocol side, not the LDAP side.

I've generally found that if you need to write a custom authentication
"plug-in" for something, the easiest thing to do is to grab the LDAP
"plug-in", and gut the LDAP code, replacing it with your stuff.

This ended up being true-ish for NSS/PAM as well!  At first I tried to
hack up nslcd, but it was just too hard.  The LDAP permeated through
the code deeply, and it was hard to change.

Then I looked at pynslcd.  I just wasn't... comfortable with it.  I
wanted more... checks when "compiling".  At the end of the day, I
think typechecking is helpful.  (But, it is what made me think that
other people might be interested in my Go implementation)

By that point, I realized that the nslcd protocol was pretty simple,
and decided to write a Go implementation.

The nslcd protocol part I packaged into a very simple-to-use library:

    go get

It even includes a simple stub for implementing a systemd-style
socket-activated service:

    import (
        nslcd_systemd ""
    func main() {
        backend := ...;

So literally everything is taken care of for you except for writing
the backend, which implements the
"".Backend interface.
You can even inherit from .NilBackend, and only implement the methods
interesting to you:

    type MyBackend struct {

    func (b *MyBackend) Passwd_ByName(cred syscall.Ucred, req 
nslcd_proto.Request_Passwd_ByName) <-chan nslcd_proto.Passwd {

The struct types defined in the `nslcd_proto
""` package are very litteral,
direct interpretations of the information in `nslcd.h`.

An example of its uses is `nshd`, part of the parabola-hackers

The systemd unit files are maybe worth taking a look at, because it
turns out that there is a deadlock in systemd that must be worked
around if you have a socket-activated service that provides NSS

Anyway, I hope someone finds it interesting or useful.

Happy hacking,
~ Luke Shumaker
To unsubscribe send an email to or see