Hi there,


when using ldap_start_tls_s , /dev/urandom is opened but never seems to be close until the program exist,
which causes issues when a program uses pam_ldap in such a way that openvpn does,
e.g loop{
new connection;
dlopen(pamldap);
authenticate user using pam_ldap; // (open /dev/urandom);
dlclose(pamldap);  // /dev/urandom is still open
}

Unfortunately, I am not sure if there is a way to close the TLS context from the API, even when unbinding.

For instance, when using the code below, stracing the code will show that /dev/urandom is not close even once finished with LDAP.
============
...
...
open("/etc/hosts", O_RDONLY)            = 4
close(4)                                = 0
open("/etc/ld.so.cache", O_RDONLY)      = 4
close(4)                                = 0
open("/lib/tls/i686/cmov/libnss_dns.so.2", O_RDONLY) = 4
close(4)                                = 0
close(4)                                = 0
open("/dev/urandom", O_RDONLY)          = 4
open(NULL, O_RDONLY)                    = -1 EFAULT (Bad address)
close(3)                                = 0
===========

the ldap tools (ldapsearch....) do close properly /dev/urandom, but they use tool_destroy()/ldap_pvt_tls_destroy() which has not effect when I attempt to forward declare it and use it.

Any hints on how one could close TLS context?

Thanks a mil,
chantra

/*
* compile with
* gcc -o start_tls start_tls.c -lldap
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <ldap.h>
#include <unistd.h>



void
ldap_pvt_tls_destroy( void );

void usage(const char *name){
fprintf(stderr, "USAGE: %s ldap://host\n", name);
}

int main(int argc, char **argv){
char uri[BUFSIZ];
LDAP *ldp;
int rc;
int ldap_version = 3;
LDAPControl *serverctrls;
LDAPControl *clientctrls;

if(argc!=2){
usage(argv[0]);
exit(1);
}
strcpy(uri, argv[1]);
rc = ldap_initialize(&ldp, uri);
if(rc != LDAP_SUCCESS){
fprintf(stderr, "ERROR: ldap_initialize returned (%d) \"%s\" : %s\n", rc, ldap_err2string(rc), strerror(errno));
exit(1);
}
rc = ldap_set_option(ldp, LDAP_OPT_PROTOCOL_VERSION, &ldap_version);
if(rc != LDAP_OPT_SUCCESS){
fprintf(stderr, "ERROR: ldap_set_option returned (%d) \"%s\"\n", rc, ldap_err2string(rc));
exit(1);
}


  rc = ldap_start_tls_s(ldp, &serverctrls, &clientctrls);
if(rc != LDAP_SUCCESS){
fprintf(stderr, "ERROR: ldap_start_tls_s returned (%d) \"%s\"\n", rc, ldap_err2string(rc));
exit(1);
}
fprintf(stdout, "Successfully started ldap_start_tls_s\n");
 
rc = ldap_unbind_ext_s(ldp, &serverctrls, &clientctrls);
/*
  no effect
  ldap_pvt_tls_destroy();
*/
  sleep(100);
exit(0);
}


--
http://www.debuntu.org

Debuntu deb's repository
!DSPAM:49e6334790401157261143!