python-ldap hanging for 15 minutes under certain conditions

Michael Wood esiotrot at gmail.com
Tue Feb 8 09:10:52 CET 2011 

Hi

On 7 February 2011 19:29, Rich Megginson <rich.megginson at gmail.com> wrote:
> On 02/05/2011 01:42 PM, Michael Wood wrote:
>>
>> Hi
>>
>> On 4 February 2011 17:35, Rich Megginson<rich.megginson at gmail.com>  wrote:
>>>
>>> On 02/03/2011 11:59 PM, Michael Wood wrote:
>>>>
>>>> On 4 February 2011 08:32, James Andrewartha<jamesa at daa.com.au>    wrote:
>>
>> [...]
>>>>>
>>>>> Debian uses GnuTLS because OpenSSL has the non-GPL compatible
>>>>> advertising clause, and libldap is linked into many GPL applications.
>>>>> So
>>>>
>>>> Ah, good point.
>>>>
>>>>> the solutions are fix the OpenSSL licensing or make GnuTLS not suck; I
>>>>
>>>> Or switch to something else.
>>>
>>> OpenLDAP 2.4.23 supports Mozilla NSS (triple licensed GPLv2+/LGPLv2+/MPL)
>>> for crypto
>>> Fedora 14 and later use this instead of OpenSSL
>>
>> Interesting.  But co-incidentally, there's a thread currently on the
>> libcurl mailing list about comparisons between different SSL/TLS libs
>> that are supported by libcurl.  Howard Chu posted about GnuTLS and
>> later about NSS.  In the NSS message he said:
>>
>> "I understand that RedHat is now building their OpenLDAP packages with our
>> MozNSS support. I don't believe this combination is ready for primetime by
>> any
>> measure. They still don't even have release quality code for handling PEM
>> files, and their current experimental code crashes/misbehaves in common
>> (for
>> OpenSSL) deployment scenarios.
>
> No doubt Howard has been alarmed by the frequency of my patch submissions
> and the severity of the bugs they fix.

Ah, sorry for opening up a can of worms :)

>> https://bugzilla.mozilla.org/show_bug.cgi?id=402712
>
> This is for adding the PEMNSS module to Mozilla NSS upstream.  The code has
> been used for years now, first in nss_compat_ossl (a library wrapper that
> implements OpenSSL APIs with Mozilla NSS code) and in libnsspem in
> RHEL/Fedora (part of the RHEL/Fedora nss package).

I am not wedded to PEM.  Perhaps NSS is the answer.  Now someone just
needs to convince Debian and/or Ubuntu of that :)  I have no idea if
anyone's tried.

>> https://bugzilla.redhat.com/show_bug.cgi?id=642433"
>
> This has already been fixed both in OpenLDAP upstream and in current
> RHEL/Fedora code.
>
> IMHO OpenLDAP with MozNSS is close to being stable.  I'm not just saying
> that - I'm prepared to "put my money where my mouth is" and so is my
> employer, Red Hat, who has committed to using OpenLDAP with MozNSS in Fedora
> and RHEL.  Also note that two of the core Mozilla NSS developers, including
> those working on Mozilla PEMNSS, are also Red Hat employees.

OK

> You can also use OpenLDAP with MozNSS without using PEM files at all if you
> are concerned about using the libnsspem module -
> http://www.openldap.org/faq/index.cgi?file=1514

Well, as I said above, I'm not wedded to PEM.  I am using Ubuntu for
reasons not related to OpenLDAP and so would prefer to use official
Ubuntu packages rather than compiling OpenLDAP myself and then having
to keep it up to date.  So for me, I think it would be best if Ubuntu
switched to an SSL library for OpenLDAP that did not cause me problems
like I had when using python-ldap -> OpenLDAP -> GnuTLS.  Of course,
the chances of Ubuntu switching just because I think it would be best
are minimal :)  Especially because I am not intimately familiar with
all the issues.

> Why is Fedora/Red Hat doing this at all?  Why bother?
>  https://fedoraproject.org/wiki/FedoraCryptoConsolidation

Thanks for that link.  I agree it's a worthy goal and it sounds like
NSS is the way to go.  I hope Debian and Ubuntu follow suit.

-- 
Michael Wood <esiotrot at gmail.com>

More information about the python-ldap mailing list