while its very important to work on OpenLDAP compatibility issues
as Thunderbird is not the only application having these kinda
problems we are simply not there yet and it is extremely unlikely
we gonna be 100% compatible ever mostly due to security layer/s
diffs and no easy way to solve them today. i really dunno what to
suggest to Thunderbird developers apart from maybe linking with
ldap libs statically and restricting to local [ -Wl,-B,static
-Wl,-B,local ], i dunno, seems like there is no clean solution :(
Rich Megginson wrote:
I apologize for cross posting, but I think this problem involves both
Thunderbird and LDAP developers.
There is a problem with Thunderbird and pam_ldap/nss_ldap. The problem
exists because Thunderbird uses the Mozilla LDAP C SDK and
pam_ldap/nss_ldap (on most linux/*bsd systems anyway) use the OpenLDAP C
SDK. The two APIs, while similar, have some incompatibilities, which
cause crashing when either Thunderbird calls an OpenLDAP function or
pam_ldap/nss_ldap call a Mozilla LDAP function. There has been a bug
open about this problem for a while, and this bug lists some of the
proposed solutions to this problem -
https://bugzilla.mozilla.org/show_bug.cgi?id=292127
I'd like to use this thread to discuss some possible solutions. One
solution that has been proposed several times is to just use the
OpenLDAP API for Thunderbird. This has a couple of problems:
1) May require some porting work in cases where Thunderbird depends on
some API functionality present in the Mozilla API but not in OpenLDAP.
2) Cannot use LDAP with TLS/SSL because Thunderbird uses NSS while
OpenLDAP uses OpenSSL.
Another solution is to use build time and/or run time linker options so
that Thunderbird only uses Mozilla LDAP functions and pam_ldap/nss_ldap
only use OpenLDAP functions. This would likely require a bit of work to
the Thunderbird makefiles to make it work and make it portable, and
probably some work to the Mozilla LDAP builds. If it requires work to
pam or nss, it's likely a non-starter.
I would eventually like to unify the Mozilla and OpenLDAP APIs. The
easiest way would be to change or extend the semantics of the Mozilla
API to match the OpenLDAP API. Much harder would be to make OpenLDAP
use NSS for crypto and change its semantics to match Mozilla's. It's
ironic that work is underway to make OpenLDAP use gnutls for crypto . .
. but perhaps the result of that work will make it easier to make
OpenLDAP use NSS.
_______________________________________________
dev-tech-ldap mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-ldap
_______________________________________________
dev-tech-ldap mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-ldap
