ryan@nardis.ca wrote:
On Mon, Jan 15, 2018 at 07:33:52PM +0000, lukas@selfnet.de wrote:
During initialization, libldap sets custom gnutls mutex functions: https://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=libraries/...
PAM uses libldap via dlopen and unloads it when it's done, but openldap doesn't undo gnutls_global_set_mutex, so any further calls to locking functions inside openldap will segfault since these function pointers now point to nowhere since openldap is unloaded.
I encountered this issue in cups since cups uses gnutls itself for the web interface and segfaults when it uses gnutls after libldap.
Thanks for this report.
This is not the first issue caused by our usage of the custom mutex functions; see also https://bugs.debian.org/803197.
Removing the custom mutex functions and (for sufficiently recent GnuTLS) the calls to gnutls_global_{,de}init() looks like a more and more attractive solution. I am not aware of anyone using OpenLDAP with GnuTLS on a platform for which GnuTLS lacks built-in mutex functions...
PAM should be using nss-pam-ldapd, not calling libldap directly. This is an architectural flaw in both GnuTLS and PAM, not an OpenLDAP bug. This ITS is invalid.