severity 400448 wishlist reassign 400448 gnutls thanks * Mitar ([EMAIL PROTECTED]) wrote: > Package: libnss-ldap [...] > When I configure CA directory with "tls_cacertdir" configuration option > in /etc/libnss.conf file NSS querying (for example "finger mitar") takes > very long (about 20 seconds per query). With only CA file in both > /etc/libnss.conf and /etc/ldap/ldap.conf it is normally fast.
GNUTLS doesn't have the ability to do hash-based lookups in a directory
(that I know of anyway, if it does then this should be reassigned to
libldap to use it). Therefore, on every invocation all the CAs in the
directory have to be loaded into GNUTLS.
> Other LDAP programs (ldapsearch) verify CA directory without delay. I
> noticed this delay only with libnss-ldap (and libpam-ldap but I have not
> worked on that yet so I am not sure that it is the same cause).
libnss-ldap isn't doing anything particularly special with regard to
TLS_CACERTDIR that I'm aware of. Your ldapsearch is probably using the
more recent libldap which was compiled against openssl. That's not an
option for libnss-ldap or a number of other GPL utilities.
> I have only default Debian CA certificates (ca-certificates) and one
> local self-signed for LDAP server.
There's quite a few default Debian CAs. You've asked libnss-ldap, and
therefore libldap, and therefore gnutls, to use all of them. If that's
really your intent then you'll have to deal with the speed hit
associated with it (you might consider nscd to help with that). If
that's not what you want (and, really, it probably isn't, NSS lookups
being rather sensitive and all...) then you shouldn't tell libnss-ldap
to do that.
Thanks,
Stephen
signature.asc
Description: Digital signature
