16 Jan
2018
16 Jan
'18
2:51 a.m.
lukas@selfnet.de wrote:
PAM should be using nss-pam-ldapd, not calling libldap directly. This is an architectural flaw in both GnuTLS and PAM, not an OpenLDAP bug. This ITS is invalid.
It's called _lib_ldap after all, so are other projects linking against / dlopen()ing libldap doing the wrong thing?
PAM should not be polluting the application namespace with libraries that the application may itself be using. The same type of problems arise if e.g. the application uses Kerberos and PAM also uses Kerberos, and the application and PAM want to use different configurations.
The only correct way for a PAM module to work is to never expose its underlying libraries to the calling application.
This is not an OpenLDAP issue.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
2502
Age (days ago)
2502
Last active (days ago)
0 comments
1 participants
participants (1)
-
hyc@symas.com