Russ Allbery wrote:
Martin Sandsmarksandsmark@samfundet.no writes:
If we use just plain ldap (not using openssl), the connection times out rather quickly, and pam tries the next authentication method which works as expected, and the problem can be fixed. But unfortunately that also opens up some security risks, since we can't be sure we connect to the proper ldap server.
I have had this problem with other applications that use OpenSSL, and the last time I looked at one in detail, figuring out how to get OpenSSL to time out properly when it's in the middle of its own internal handling was surprisingly tricky. However, I don't know if this has already been dealt with in OpenLDAP's client libraries somehow.
The library is supposed to do all the right calls to deal with asynchronous I/O but we never actually enable it in the OpenSSL layer. If you look at the OpenSSL mailing list archives you'll see long discussions to the effect that asynchronous I/O with OpenSSL is tricky/unsafe/broken.