[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Migrating openldap db backend from ibdm to bdb

Howard Chu <hyc@symas.com> wrote:
Hallvard B Furuseth wrote:
> matthew sporleder writes:
>> On 2/26/07, Hallvard B Furuseth wrote:
>>> Quanah Gibson-Mount writes:
>>>> Using vendor packages to run an OpenLDAP server is nearly always a bad
>>>> idea (Mandriva's a definite exception). There is almost nothing that
>>>> motivates the vendor to use current releases, or backport stability
>>>> fixes. There are known problems with the connection code in OL
>>>> 2.3.27, for example, that were fixed in OpenLDAP 2.3.32. In general,
>>>> use vendor packages at extreme risk.
>>> Is there something particular which makes this more so for OpenLDAP than
>>> other packages, or (...)
>>> I had the impression that this was mostly a RedHat issue. (...)
>> It's more a general problem with the decoupled nature of linux
>> distros. OpenLDAP is simply mentioned a lot on this list. :)
> Ouch. Does that mean the way to have a solid system is to check
> the age of most of its major packages and compile newer ones myself?

Unfortunately, I think this reflects some immaturity of the software.
We're still fighting with even the basic definition of the C API. There
are other packages in the same situation: I just installed OpenSUSE 10.2
on my laptop yesterday, which is the latest and greatest version there,
but it still shipped with old wireless lan drivers, that did not work on
my laptop. I had to go download current drivers and firmware and build
them manually before I had something usable.

The problems are exacerbated by the clumsy design of the
pam_ldap/nss_ldap mechanisms, which cause system-level functionality to
pollute user-program namespaces. If distros would take the proper steps
to hide the symbols of their dynamically loaded pam/nss modules from
user code, then most of the compatibility issues would disappear. (I
note that we do this correctly in Symas' CNS packages. Hint, hint.)

I have a feeling that not enough people complain to their distro vendors
about these problems, and so the distros continue to pretend the
problems don't exist.

-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
Chief Architect, OpenLDAP http://www.openldap.org/project/


You mentioned that Symas is correctly hiding the symbols when loading in pam/nss libraries.  How are you doing this?  Are you using symbol versioning, dlopen flags other than RLTD_LOCAL, something else (or combination)?  Also, is this being accomplished on Solaris as well?  I'm fighting this same issue and haven't found a good way to accomplish this yet (with the Solaris linker).

Darin Broady

Darin Broady