<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Mantas,<br>
<br>
I'm aware of all the software you mentioned, but there's a few
things to consider:<br>
- nslcd is quite old and personally I don't think it's the way to
go<br>
- the glibc's nscd wouldn't help in this case and will bring just
troubles (based as well on my experiences). More and more admins
(since at least a few years ago) are avoiding using nscd in
complex network environments, particularly because of problems
with DNS caching in case of failover, etc..<br>
<br>
I thought about sssd as a replacement, but haven't had time to
test this combination yet (although I have quite a lot experiences
with sssd). If somebody has any experiences in this area, please
share ;-)<br>
<br>
Regards,<br>
Vlad.<br>
<br>
On 04/07/18 13:50, Mantas Mikulėnas wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAPWNY8V3+=yWkL4NDzq8dEwrnFhC7yeYM1our-WdiYUN-w5XYw@mail.gmail.com">
<div dir="ltr">
<div class="gmail_quote">
<div dir="ltr">On Wed, Jul 4, 2018 at 2:03 PM Lennart
Poettering <<a href="mailto:lennart@poettering.net"
moz-do-not-send="true">lennart@poettering.net</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">I am
pretty sure it's not the best design today that nss-ldap
inserts<br>
a complex, network facing piece of code into all kinds of
system<br>
processes the way it does, even the most benign ones such as<br>
"ls". This is security sensitive stuff after all...<br>
</blockquote>
<div><br>
</div>
<div>There actually exist two modules both named
'libnss_ldap': the original one from PADL loads a LDAP
client directly in-process, while the one from 'nslcd' (aka
nss-pam-ldapd) uses a Unix socket connection to its own
daemon (so it works the same way as nss-resolve). And yes,
the one in nslcd should be used whenever possible.</div>
<div><br>
</div>
<div>(I think glibc's nscd should also not be forgotten, since
it offloads *all* modules into a single caching daemon.
Would have protected against last year's glibc libnss_dns
CVE, I'm sure.)</div>
</div>
<div><br>
</div>
-- <br>
<div dir="ltr" class="gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr">Mantas Mikulėnas</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>