This page describes the basic design of nss-pam-ldapd. It was started as a fork of nss_ldap to fix a number of shortcomings. The most important problems were:
Furthermore the original implementation had a lot of cross-platform
compatibility code throughout the code and a lot of complex constructs
to work as an NSS module. This made it hard to maintain.
With nss-pam-ldapd the initial focus has been on getting it to work with glibc on Linux with OpenLDAP. Portability code was added later for most of the platfoms that nss_ldap supported in a way to not have the compatibility burden the normal code.
Most of the problems of nss_ldap were solved by splitting the functionality in two parts:
Later on a PAM module was added that also communicates with the daemon.
Communication between the NSS part and the server part is done using a
simple request/response protocol.
The protocol hides the complexity of transforming NSS and PAM queries
into LDAP operations and transforming LDAP replies into a format that is
suitable as NSS results.
The protocol is described in the nslcd.h file.
Using a local socket ensures that the availability of the server component can be easily tested. The server component can be started during system boot after the LDAP server is reachable (i.e. when networking is available).
Apart from fixing some of the problems that were mentioned earlier nss-pam-ldapd has a number of other advantages:
Since an NSS module (and PAM module to a lesser extent) is loaded into someone else's address space, opening files and connections (especially if they are open for longer periods of time) requires complicated locking, signal masking, checking file descriptors, special fork() handling, etc. The OpenLDAP library and most SSL libraries have not been designed to be used in such environments which make things very difficult. All this complexity is eliminated in nss-pam-ldapd.
The nss_ldap source was refactored extenisvely removing a lot of compatibility code. The NSS part of the code has been mostly rewritten from scratch digging into glibc source for definitions of all functions (a little more documentation would be useful).
With the design change and removal of lot of complexity some refactoring was done which resulted in a significantly smaller code size. This makes the codebase much more maintainable.
Over the years features and support for other operating systems has been added. The 0.7 release added a PAM module and the 0.8 release included a Solaris NSS module. The 0.9 release included a switch in coding style and a good deal of new functionality (nested groups, password policy support, user modification functionality and more).
The above numbers were generated using David A. Wheeler's 'SLOCCount' over the ANSI C source code and excluding the test code. These numbers are not always 100% comparable because in some releases some features were removed or added and differences in compatibility support.
Some more information on the design and general notes on making modifications is available in the HACKING file.