Russ Allbery wrote:
Martin Sandsmark<sandsmark(a)samfundet.no> writes:
> If we use just plain ldap (not using openssl), the connection times out
> rather quickly, and pam tries the next authentication method which works
> as expected, and the problem can be fixed. But unfortunately that also
> opens up some security risks, since we can't be sure we connect to the
> proper ldap server.
I have had this problem with other applications that use OpenSSL, and the
last time I looked at one in detail, figuring out how to get OpenSSL to
time out properly when it's in the middle of its own internal handling was
surprisingly tricky. However, I don't know if this has already been dealt
with in OpenLDAP's client libraries somehow.
The library is supposed to do all the right calls to deal with asynchronous
I/O but we never actually enable it in the OpenSSL layer. If you look at the
OpenSSL mailing list archives you'll see long discussions to the effect that
asynchronous I/O with OpenSSL is tricky/unsafe/broken.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/