On 27.4.2011, at 0.53, Victor Duchovni wrote: >> Just wondering: Is it really the nss-ldap code that is buggy or just >> the libc's getpwnam() call that is fundamentally broken? I recently >> changed Dovecot to use getpwnam_r() instead, since it allows proper >> error checking. > > Most likely a combination of both. It is not, for example, clear which > error returns from getpwnam_r() indicate a transient error, and which > "entry not found". This is an API problem.
It is clear. getpwnam_r() returns 0 both on success and "user not found", you just need to check if the result is NULL or not. If it returns anything else than 0 it's a transient error. If the NSS code internally messes this up, that's its fault then. But I think getpwnam_r() API is fine.
