Re: [nssldap] nss_ldap under Solaris 10

["Paul B. Henson" <henson [at] acm.org>]

On Sat, 19 Jan 2008, Matthew Hardin wrote:

> We at Symas have successfully built and packaged pam_ldap and nss_ldap
> for Solaris 10. There have been no reported issues with our current
> releases, and the packages appear to be working well at a number of large
> and small sites.

Thanks for the feedback. I did some initial testing compiled against the
native Sun LDAP libraries, I got it working in plain text okay but not with
SSL. I knew I had the certificates configured correctly for the Sun
libraries because the native ldapsearch command worked fine, but nss_ldap
would only complain it could not contact the server. I saw traffic to the
SSL port, I'm assuming some incompatibility between nss_ldap and the Sun
SSL stuff.

Unfortunately my budget precludes purchasing your packages :)...


> One thing to watch for in the standard build for nss_ldap that uses SSL,
> particularly on Solaris, is the namespace pollution that takes place if
> nss_ldap is loaded directly into a process's namespace. This can cause

I've actually had similar issues under Linux. One time I ended up with
nss_ldap linked against an older version of openSSL than sshd, with rather
annoying failures. That is the one thing I think Sun got right, splitting
up the process actually contacting the LDAP server away from the client
calling it. It would be nice if nss_ldap could evolve such a mechanism with
a dedicated daemon for LDAP communications and a small nss stub
communicating via basic sockets to prevent namespace pollution...

Thanks...


-- 
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  henson@csupomona.edu
California State Polytechnic University  |  Pomona CA 91768