<div dir="ltr"><div class="gmail_quote"><div dir="ltr">On Wed, Jul 4, 2018 at 2:03 PM Lennart Poettering <<a href="mailto:lennart@poettering.net">lennart@poettering.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I am pretty sure it's not the best design today that nss-ldap inserts<br>
a complex, network facing piece of code into all kinds of system<br>
processes the way it does, even the most benign ones such as<br>
"ls". This is security sensitive stuff after all...<br></blockquote><div><br></div><div>There actually exist two modules both named 'libnss_ldap': the original one from PADL loads a LDAP client directly in-process, while the one from 'nslcd' (aka nss-pam-ldapd) uses a Unix socket connection to its own daemon (so it works the same way as nss-resolve). And yes, the one in nslcd should be used whenever possible.</div><div><br></div><div>(I think glibc's nscd should also not be forgotten, since it offloads *all* modules into a single caching daemon. Would have protected against last year's glibc libnss_dns CVE, I'm sure.)</div></div><div><br></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Mantas Mikulėnas</div></div></div>