FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 07-20-2008, 04:11 PM
Pasi Kärkkäinen
 
Default Packaging nss-ldapd for fedora

Hello!

Anyone planning to upload/maintain nss-ldapd to fedora?

Seems like a better solution than nss-ldap..

http://ch.twi.tudelft.nl/~arthur/nss-ldapd/

-- Pasi

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-20-2008, 06:18 PM
Enrico Scholz
 
Default Packaging nss-ldapd for fedora

Pasi Kärkkäinen <pasik@iki.fi> writes:

> Seems like a better solution than nss-ldap..

<rant>
For the beginning, it would be really nice when Fedora 9 and RHEL 5.2
get a *working* nss_ldap and nscd. Current situation makes it nearly
impossible to use LDAP NSS with a recent RH distribution
</rant>


Enrico

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-21-2008, 08:28 AM
Howard Wilkinson
 
Default Packaging nss-ldapd for fedora

Enrico Scholz wrote:

Pasi Kärkkäinen <pasik@iki.fi> writes:



Seems like a better solution than nss-ldap..



<rant>
For the beginning, it would be really nice when Fedora 9 and RHEL 5.2
get a *working* nss_ldap and nscd. Current situation makes it nearly
impossible to use LDAP NSS with a recent RH distribution
</rant>


Enrico



Enrico, could you expand on the issues you see with nss_ldap under
Fedora. I have recently done some work on the Kerberos ticket handling
in nss_ldap and am now not seeing major problems with this combination.
I do still see failures in the nss_ldap code occassionally but I think
this is in the use of the kerberos/gssapi/sasl/ldap libraries rather
than the code itself. Have yet to pin this down. So any more
information would be nice. Howard.





--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-21-2008, 09:21 AM
Enrico Scholz
 
Default Packaging nss-ldapd for fedora

Howard Wilkinson <howard@cohtech.com> writes:

> Enrico, could you expand on the issues you see with nss_ldap under
> Fedora.

after some time, bash hangs while expanding e.g. ~en<tab>; koji/bodhi
hang uninterruptible (only 'kill -9' helps; ^Z + ^C are not working)
when nscd is not running (which segfaults periodically).

Bugzilla is full with deep-red reports against nss_ldap


Enrico

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-21-2008, 10:10 AM
Howard Wilkinson
 
Default Packaging nss-ldapd for fedora

Enrico Scholz wrote:

Howard Wilkinson <howard@cohtech.com> writes:



Enrico, could you expand on the issues you see with nss_ldap under
Fedora.



after some time, bash hangs while expanding e.g. ~en<tab>; koji/bodhi
hang uninterruptible (only 'kill -9' helps; ^Z + ^C are not working)
when nscd is not running (which segfaults periodically).

Bugzilla is full with deep-red reports against nss_ldap


Enrico



Enrico,



can you point me at the bugzilla reports please. I have been following
the ones on pdal but if there is another source I would like to see it.



Do the problems you see occur when using kerberos to autheticate to the
ldap server? Or are they in another path? You may need to set
"bind_policy soft" to get rid of the hangs.



Things that need some attention in nss_ldap include the ability to fail
over to a second ldap server, which may be your real problem.



Anyway, the version I run is 259 with my patches for the kerberos
library included (see PDAL bugzilla 298) and I get occassional
segfaults from nscd but otherwise it works nicely with kerberos keytabs
and file based tickets. I have yet to test memory based tickets.



Howard.





--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-21-2008, 12:16 PM
Dmitry Butskoy
 
Default Packaging nss-ldapd for fedora

Pasi Kärkkäinen wrote:

Hello!

Anyone planning to upload/maintain nss-ldapd to fedora?


Seems like a better solution than nss-ldap..

http://ch.twi.tudelft.nl/~arthur/nss-ldapd/



Looks interesting...

Besides its useful features (fe. client/server splitting in the same
manner as Samba's winbindd does), this project is actively developed
now, and even the OpenLDAP upstream has written an overlay that
implements their own alternative "server" part for nss-ldapd.


I'll try to consider it more closely this week...


Dmitry Butskoy
http://www.fedoraproject.org/wiki/DmitryButskoy

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-21-2008, 12:37 PM
yersinia
 
Default Packaging nss-ldapd for fedora

Just for info, the nss-ldapd design look very similar to AIX 5L ldap client design.

Regards

On Mon, Jul 21, 2008 at 2:16 PM, Dmitry Butskoy <buc@odusz.so-cdu.ru> wrote:

Pasi Kärkkäinen wrote:


Hello!



Anyone planning to upload/maintain nss-ldapd to fedora?

Seems like a better solution than nss-ldap..



http://ch.twi.tudelft.nl/~arthur/nss-ldapd/

*




Looks interesting...



Besides its useful features (fe. client/server splitting in the same manner as Samba's winbindd does), this project is actively developed now, and even the OpenLDAP upstream has written an overlay that implements their own alternative "server" part for nss-ldapd.




I'll try to consider it more closely this week...





Dmitry Butskoy

http://www.fedoraproject.org/wiki/DmitryButskoy



--

fedora-devel-list mailing list

fedora-devel-list@redhat.com

https://www.redhat.com/mailman/listinfo/fedora-devel-list



--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-21-2008, 02:55 PM
Dmitry Butskoy
 
Default Packaging nss-ldapd for fedora

Dmitry Butskoy wrote:

Pasi Kärkkäinen wrote:

Hello!

Anyone planning to upload/maintain nss-ldapd to fedora?
Seems like a better solution than nss-ldap..

http://ch.twi.tudelft.nl/~arthur/nss-ldapd/



Looks interesting...

Besides its useful features (fe. client/server splitting in the same
manner as Samba's winbindd does), this project is actively developed
now, and even the OpenLDAP upstream has written an overlay that
implements their own alternative "server" part for nss-ldapd.


I'll try to consider it more closely this week...


Well,

It provides NSS stuff only (whereas the ordinary nss_ldap provides both
NSS and PAM with one common config file). It seems that upstream is
focused on NSS only.


Two possible ways:

1) The current nss_ldap could be split to nss_ldap and pam_ldap (it
looks obvious because both have individual source tarballs). Then
"alternatives" could be used to switch between the old nss_ldap and new
nss-ldapd implementations.


2) Nss-ldapd's "nss_ldap.so" could be just renamed to, say,
"nss_ldapd.so" (and use "ldapd" in /etc/nsswitch.conf). This way
alternatives are not needed.


Anyway, from the current point of view, the switch to nss-ldapd will
increase the number of configuration files to edit (/etc/ldap.conf for
PAM, and /etc/nss-ldapd.conf for NSS), and both files look very identical...


Certainly an alternate PAM implementation seems not needed, the
client/server here is useful for NSS only. But it would be very fine if
nss-ldapd could use the same config file as pam_ldap uses (IOW, how the
current nss_ldap does). I don't know whether it is possible now or
intend to be possible in the future.


Any comments? Does anyone have good contact with upstream?


~buc



--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-21-2008, 05:34 PM
Enrico Scholz
 
Default Packaging nss-ldapd for fedora

Howard Wilkinson <howard@cohtech.com> writes:

>>> Enrico, could you expand on the issues you see with nss_ldap under
>>> Fedora.
>
> can you point me at the bugzilla reports please. I have been following
> the ones on pdal but if there is another source I would like to see it

https://bugzilla.redhat.com/buglist.cgi?component_text=nss_ldap


> Do the problems you see occur when using kerberos to autheticate to
> the ldap server? Or are they in another path? You may need to set
> "bind_policy soft" to get rid of the hangs.

No kerberos (at least not for LDAP bind), only a single LDAP server, no
SSL/TLS. 'koji list-api' stucks at

| open("/etc/passwd", O_RDONLY|0x80000 /* O_??? */) = 5
| fstat(5, {st_mode=S_IFREG|0644, st_size=2693, ...}) = 0
| mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb3c3218000
| read(5, "root:x:0:0:root...
| read(5, "", 4096) = 0
| close(5) = 0
| munmap(0x7fb3c3218000, 4096) = 0
| futex(0x7fb3bb1bee00, FUTEX_WAIT_PRIVATE, 2, NULL

This futex address is used here the first and only time; there are no
childs or threads which could issue a WAKE.

nsswitch.conf contains 'ldap' entries for 'passwd' and 'group' only (not
for 'shadow' or 'hosts').


The bash lockups are not 100% reproducible, but bash hangs in such a
futex() call too. There is a connection to the ldap server in CLOSE_WAIT
state and a unix socket (connection to a died nscd?) in this situation.


> Things that need some attention in nss_ldap include the ability to
> fail over to a second ldap server, which may be your real problem.

$ sed '/^(#.*|)$/d' /etc/ldap.conf
host ldap.bigo.ensc.de.
base dc=bigo,dc=ensc,dc=de
pam_min_uid 1000
nss_base_passwd ou=People,dc=bigo,dc=ensc,dc=de?one
nss_base_group ou=Group,dc=bigo,dc=ensc,dc=de?one
ssl no
pam_password md5



> Anyway, the version I run is 259 with my patches for the kerberos
> library included (see PDAL bugzilla 298) and I get occassional
> segfaults from nscd but otherwise it works nicely with kerberos
> keytabs and file based tickets. I have yet to test memory based
> tickets.

nss_ldap-259-3.fc9.x86_64




Enrico

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-23-2008, 01:08 PM
Dmitry Butskoy
 
Default Packaging nss-ldapd for fedora

Pasi Kärkkäinen wrote:

Hello!

Anyone planning to upload/maintain nss-ldapd to fedora?


Seems like a better solution than nss-ldap..

http://ch.twi.tudelft.nl/~arthur/nss-ldapd/



This soft seems to be related to "production environments", hence there
are more chances for a reply in some CentOS-related maillists etc. As
you see, no real interest in Fedora, for now... (Maybe a time of
vacations?).



~buc

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 

Thread Tools




All times are GMT. The time now is 04:28 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org