python-ldap hanging for 15 minutes under certain conditions

Rich Megginson rich.megginson at
Mon Feb 7 18:29:59 CET 2011

On 02/05/2011 01:42 PM, Michael Wood wrote:
> Hi
> On 4 February 2011 17:35, Rich Megginson<rich.megginson at>  wrote:
>> On 02/03/2011 11:59 PM, Michael Wood wrote:
>>> On 4 February 2011 08:32, James Andrewartha<jamesa at>    wrote:
> [...]
>>>> Debian uses GnuTLS because OpenSSL has the non-GPL compatible
>>>> advertising clause, and libldap is linked into many GPL applications. So
>>> Ah, good point.
>>>> the solutions are fix the OpenSSL licensing or make GnuTLS not suck; I
>>> Or switch to something else.
>> OpenLDAP 2.4.23 supports Mozilla NSS (triple licensed GPLv2+/LGPLv2+/MPL)
>> for crypto
>> Fedora 14 and later use this instead of OpenSSL
> Interesting.  But co-incidentally, there's a thread currently on the
> libcurl mailing list about comparisons between different SSL/TLS libs
> that are supported by libcurl.  Howard Chu posted about GnuTLS and
> later about NSS.  In the NSS message he said:
> "I understand that RedHat is now building their OpenLDAP packages with our
> MozNSS support. I don't believe this combination is ready for primetime by any
> measure. They still don't even have release quality code for handling PEM
> files, and their current experimental code crashes/misbehaves in common (for
> OpenSSL) deployment scenarios.
No doubt Howard has been alarmed by the frequency of my patch 
submissions and the severity of the bugs they fix.
This is for adding the PEMNSS module to Mozilla NSS upstream.  The code 
has been used for years now, first in nss_compat_ossl (a library wrapper 
that implements OpenSSL APIs with Mozilla NSS code) and in libnsspem in 
RHEL/Fedora (part of the RHEL/Fedora nss package).
This has already been fixed both in OpenLDAP upstream and in current 
RHEL/Fedora code.

IMHO OpenLDAP with MozNSS is close to being stable.  I'm not just saying 
that - I'm prepared to "put my money where my mouth is" and so is my 
employer, Red Hat, who has committed to using OpenLDAP with MozNSS in 
Fedora and RHEL.  Also note that two of the core Mozilla NSS developers, 
including those working on Mozilla PEMNSS, are also Red Hat employees.

You can also use OpenLDAP with MozNSS without using PEM files at all if 
you are concerned about using the libnsspem module -

Why is Fedora/Red Hat doing this at all?  Why bother?
> Here's the link to the message in libcurl's mailing list archive:

More information about the python-ldap mailing list