probably before we can call this stable --------------------------------------- * find problem with reachability of LDAP server * Debian package: protect /etc/nss-ldapd.conf if bindpw is used other items ----------- * probably document that you should use libpam-ldap for authentication without exposing the passwords through NSS * document test suite (instructions for setting up environment (server), LDIF file, nsswitch.conf and nss-ldapd.conf) * write more unit tests * maybe implement a connection object in the myldap module that is shared by different sessions (sessions need to be cleaned up) * add sanity checking code (e.g. not too large buffer allocation and checking that host, user, etc do not contain funky characters) in all server modules * log some statistics: "passwd=100 shadow=10 host=20 rpc=10" (10 req/minute) * in the server: once the request is done pass the flushing of the buffers to a separate thread so our workers are available to handle new requests * tune the filter and parameter buffer sizes * split out idle checking into separate function so we may be able to call it periodically from elsewhere (e.g. the main loop) * add an option to create an extra socket somewhere (so it may be used in chroot jails) * make I/O timeout between NSS lib and daemon configurable with configure * ethers: also look in ipHostNumber attribute to look up an IPv4 (IPv6) address and return it as an alternative entry * protocols/rpc: the description attribute should be used as an alias? * do more checks with failing LDAP connections (e.g. killing connections) * maybe make myldap code thread-safe (use locking) * review changes in nss_ldap and merge any useful changes * maybe rate-limit LDAP entry warnings * consider returning the canonical value as it is stored in LDAP, not the requested value (they can differ in case) * test non-ASCII characters in fields (mostly cn) * implement attribute defaults (for when they're missing from the directory) * implement attribute overrides (to always return a specific value, no matter what the directory says) * see if we can use LD_LIBRARY_PATH to run our tests in so we don't need to install NSS library in system path * only parse configuration options if they are available on the platform * have some more general mechanism to disable NSS module in nslcd * support searchbase autodetection * start the LDAP search and connection in myldap_get_entry() instead of in myldap_search() * maybe use datagram sockets for NSS/nslcd communication * support multiple search bases * support memberOf attribute in passwd entries that map to groups * rename tls_checkpeer option to tls_reqcert * setnetgrent() may need to return an error if the netgroup is undefined * handle repeated calls to getent() better (see http://bugzilla.padl.com/show_bug.cgi?id=376)