Brian May <br...@microcomaustralia.com.au> writes: > On 31 May 2013 20:19, Bastien ROUCARIES <roucaries.bast...@gmail.com> wrote: > >> Gnutls is really crappy about suid >> see http://lists.debian.org/debian-devel/2010/03/msg00298.html > > > 2+ years later or 2 Debian releases later, I would have hoped these issues > would be, somehow, magically, fixed by now :-( > > Basically makes libpam-ldap + TLS broken with certain programs. > > libnss-ldap is probably also broken, but seems you should be using > libnss-ldapd these days which may (?) avoid these problems.
Yes, libpam-ldapd does avoid this problem. The ldap connections are managed by a separate daemon (nslcd) that runs as a limited user account and isn't suid. The pam (and nss) modules then contact this daemon via a socket to run ldap queries. In addition to avoiding the gnutls bugs this brings better latency and connection pooling (with libnss-ldap one needs an ldap connection per nss using process, these pile up quite fast indeed). -- Arto Jantunen -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87y5aup1q0....@iki.fi
