Hi there,
when using ldap_start_tls_s , /dev/urandom is opened but never seems to be close until the program exist, which causes issues when a program uses pam_ldap in such a way that openvpn does, e.g loop{ new connection; dlopen(pamldap); authenticate user using pam_ldap; // (open /dev/urandom); dlclose(pamldap); // /dev/urandom is still open }
Unfortunately, I am not sure if there is a way to close the TLS context from the API, even when unbinding.
For instance, when using the code below, stracing the code will show that /dev/urandom is not close even once finished with LDAP. ============ ... ... open("/etc/hosts", O_RDONLY) = 4 close(4) = 0 open("/etc/ld.so.cache", O_RDONLY) = 4 close(4) = 0 open("/lib/tls/i686/cmov/libnss_dns.so.2", O_RDONLY) = 4 close(4) = 0 close(4) = 0 open("/dev/urandom", O_RDONLY) = 4 open(NULL, O_RDONLY) = -1 EFAULT (Bad address) close(3) = 0 ===========
the ldap tools (ldapsearch....) do close properly /dev/urandom, but they use tool_destroy()/ldap_pvt_tls_destroy() which has not effect when I attempt to forward declare it and use it.
Any hints on how one could close TLS context?
Thanks a mil, chantra
/* * compile with * gcc -o start_tls start_tls.c -lldap */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <errno.h> #include <ldap.h> #include <unistd.h>
void ldap_pvt_tls_destroy( void );
void usage(const char *name){ fprintf(stderr, "USAGE: %s ldap://host\n", name); }
int main(int argc, char **argv){ char uri[BUFSIZ]; LDAP *ldp; int rc; int ldap_version = 3; LDAPControl *serverctrls; LDAPControl *clientctrls;
if(argc!=2){ usage(argv[0]); exit(1); } strcpy(uri, argv[1]); rc = ldap_initialize(&ldp, uri); if(rc != LDAP_SUCCESS){ fprintf(stderr, "ERROR: ldap_initialize returned (%d) "%s" : %s\n", rc, ldap_err2string(rc), strerror(errno)); exit(1); } rc = ldap_set_option(ldp, LDAP_OPT_PROTOCOL_VERSION, &ldap_version); if(rc != LDAP_OPT_SUCCESS){ fprintf(stderr, "ERROR: ldap_set_option returned (%d) "%s"\n", rc, ldap_err2string(rc)); exit(1); }
rc = ldap_start_tls_s(ldp, &serverctrls, &clientctrls); if(rc != LDAP_SUCCESS){ fprintf(stderr, "ERROR: ldap_start_tls_s returned (%d) "%s"\n", rc, ldap_err2string(rc)); exit(1); } fprintf(stdout, "Successfully started ldap_start_tls_s\n");
rc = ldap_unbind_ext_s(ldp, &serverctrls, &clientctrls); /* no effect ldap_pvt_tls_destroy(); */ sleep(100); exit(0); }
