Milan Jurik wrote, On 2008-07-23 02:14: > Few notes. Yes, Solaris (and not only Solaris these days) has Name > Service Switch, which allows to have different name service backends > (not only files and DNS, but also NIS, NIS+, LDAP ...). In Solaris, > there are two known LDAP backends, Native LDAP backend, depending on > Mozilla libldap, and PADL/OpenLDAP backend. > > You are right, /etc/ssl/certs are OpenSSL/OpenLDAP specific, so Michael > is using PADL as LDAP backend probably (btw. not supported by Sun > because it consumes Solaris private interfaces).
Above you wrote that "In Solaris, there are two known backends ... and PADL/OpenLDAP backend.", then you wrote that "LDAP backend ... not supported by Sun". I'm surprised that PADL would be "In Solaris", but "not supported by Sun". Did you perhaps mean that the PADL backend is available (from third parties) for Solaris, but is not officially a part of Solaris, and hence is not supported? Is it possible that PADL now attempts to support/use either/both of NSS and OpenSSL ? The strace output surely seems to suggest that. > He should ask PADL for some fix. Not sure why Solaris 8 is OK for him. If he's using S10's native LDAP backend (which uses NSS) or some version of PADL that uses NSS crypto on S10, but is running the native LDAP backend on S8, then that explains it, I believe. In S8, the native ldap backend shared library had its own private copy of NSS linked inside of it. It did not use NSS shared libraries. Consequently, when it initialized NSS, it was not initializing the shared library copy that was being used by FF/TB, and so there was no conflict between the two NSSes. In S10, the native nss_ldap uses the NSS shared libraries, which FF/TB also use, so whoever initializes NSS first, wins. > Your longer term solution - I think there are plans to move all naming > requests to be process only by name service cache daemon, so in default > mode applications will not be linked against some additional libraries > than libc probably. Thanks, Milan, this is all very helpful. I think the only remaining mystery is why his strace output appears to show that it was trying to initialize NSS (or at least search for NSS's data bases) *AND* also trying to find the OpenSSL shared libs. If OpenLDAP is now doing that, that's a significant development, I think. _______________________________________________ dev-tech-ldap mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-ldap
