[Pkg-openldap-devel] Bug#340601: Bug#340601: ldapsearch hangs when using ldap for /etc/hosts

Russ Allbery rra at debian.org
Sun Feb 10 18:06:14 UTC 2008 

Steve Langasek <vorlon at debian.org> writes:

> Ok, I've scaled back the patch a bit before committing it because a
> deeper search leaves me uncertain that res_query and dn_expand are
> thread-safe even in current versions of glibc.  Dropping the mutex for
> getaddrinfo() and getnameinfo() is sufficient to fix this bug, in any
> case.

I have now discussed this and the related fact that we're using libldap_r
for ldapsearch (which from upstream's perspective is the actual problem)
with upstream.  Upstream's stance on this is:

 * Using libldap_r for anything other than slapd is flatly unsupported and
   considered a bug.  We should not be doing that.  We should be treating
   libldap_r as a private library only for slapd.

 * libldap has no supported thread-safe API.  Threaded programs that link
   against libldap are required to handle locking themselves.

 * The root underlying problem would then be trying to use libnss-ldap and
   slapd together on the same system at the same time, because libnss-ldap
   pulls libldap into slapd's namespace.  Upstream's opinion is that
   libnss-ldap is broken and this regard and libnss-ldapd may be better.

 * People really shouldn't put hosts into LDAP; LDAP is a heavy-weight
   protocol that is not suited for use as a DNS resolver.

The last we can communicate back to the user and perhaps even put into the
documentation for libnss-ldap and libnss-ldapd.  For the rest, here is the
outline of an upstream-acceptable solution, which I'd love to be able to
get at.

 * Revert the change to link everything against libldap_r and ship only
   libldap in the libldap package (which will require nasty transition
   stuff, but putting that side for right now).  Adjust the shlibs in the
   package accordingly, of course.

 * Ship libldap_r in the slapd package or in a separate package referenced
   by slapd and clearly document in the README.Debian for that package
   that those libraries are intended for use only with slapd and any other
   use is not supported.

 * Make slapd conflict with libnss-ldap so that people can't run both of
   them on the same system.  Unfortunately, since libnss-ldapd provides
   libnss-ldap, this is trickier than I'd like it to be.

I'm guessing that this is going to break other things, but I don't know
what.  Comments?

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>

More information about the Pkg-openldap-devel mailing list