On 23/05/07, Lane, Ryan <[EMAIL PROTECTED]> wrote: > First off, I've created a new LDAP mapping module for using the CN > attribute. Where do I send the code?
Just here on this list. > Second, the code I'm sending in may need to be cleaned up some. I'm not > usually a C programmer, so there are likely some bugs. No problem. If you wait until you have a bug-free code you will never release your patch. > Finally, I'd like to comment on the current LDAP mapping module. The reason > I took the time to write a new LDAP mapping module was because the current > module has some pretty serious flaws. The module is probably fine in a > network that has a handful of users, but in any medium to large network, the > current module would bring the LDAP servers to their knees. > > The current module does a while loop over pwgetent(), pulls a pem from each > user's LDAP entry, and then compares the retrieved pem to the pem on the > card. In a network with 1000 users, it is possible that this module could > make 1001 queries (excluding queries for the system accounts) just to log a > user in or to unlock the screen. It would be far more efficient to search > the LDAP server for the pem on the card, and return the username. This would > only require one query to log a user in. This is the model that I use in the > cn-ldap module. Can you please test the subversion version of pam_pkcs11? The code has seen a great amount of changes these 2 weeks. You may have to adapt your patch to the latest version. You can get the code using: $ svn co https://www.opensc-project.org/svn/pam_pkcs11/trunk Thanks -- Dr. Ludovic Rousseau _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
