Re: [nssldap] Mega patch against nss_ldap 264
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] Mega patch against nss_ldap 264
- From: Howard Wilkinson <howard [at] cohtech.com>
- To: nssldap [at] padl.com
- Subject: Re: [nssldap] Mega patch against nss_ldap 264
- Date: Sun, 25 Oct 2009 14:12:48 +0000
I have revisited this code and posted some new patches to the bugzilla.
This now includes more comprehensive recovery code when the connection
to the server goes down.
I know of one outstanding issue with the group stuff, where recursion is
used to expand nested groups the recovery code fails. I intend to remove
the recursion and replace with list walking code to produce the
transitive closure needed for this function.
Anybody who is feeling brave and would like to test this out then I need
to know I have not broken any of:
1. Plain text password binds
2. Anonymous binds
3. SSL/TLS binds
4. Other LDAP backends - my major testing has been against Active
Directory, so tests against the Fedora Directory Server (389DS) and
OpenLDAP would be useful.
Furthermore, I have tested but not implemented in production the keytab
based renewal code. So if someone can hammer this it would be great.
Howard.
P.S. I think the hard/soft features in the Bind code should now function
as advertised - can somebody check this as well?
On Tue, 2008-12-09 at 22:13 +0000, Luke Howard wrote:
> Thanks Howard! I am a bit snowed under now but I really look forward
> to taking a look at this.
>
> -- Luke
>
> On 10/12/2008, at 5:30 AM, Howard Wilkinson wrote:
>
> > I have just pushed a large patch against nss_Ldap 264 up to the
> > bugzilla.
> >
> > This is a structural alteration at the source code level to ldap-
> > nss.c which is generally just changing how it reads. However, it
> > fixes some bugs in the kerberos pathways and also commons up code
> > that had multiple copies in the code source.
> >
> > I would be very grateful if anybody could try it out and let me
> know
> > what I have broken.
> >
> > My intention with this is to make the critical path through the
> code
> > run the minimal code when a connection to the LDAP server exists,
> > make recovery on failure more resilient, and provide for multiple
> > SASL mechs without need to alter the ldap-nss code.
> >
> > Comments, improvements and fault reports much appreciated.
> >
> > I am hoping that Luke will push this out as the basis for the main
> > development downstream, so that I can add the extra features on the
> > kerberos side I am looking for.
> >
> > Howard.
> >
> >
>
> --
> www.padl.com | www.fghr.net
>
>
>
--
Howard Wilkinson <howard@cohtech.com>
Coherent Technology Limited
- Re: [nssldap] Mega patch against nss_ldap 264,
Howard Wilkinson
