11 a.m.
Hi!
I'm having some trouble with time-outs when using ldaps with pam.
If the slapd opens an incoming ssl connection, but do not respond correctly
(like if the Berkley database breaks down, which unfortunately seems to
happen from time to time), the ldap-pam-module will hang more or less
indefinitely. This is rather unfortunate, since it makes logging in and
repairing the database much more tedious.
If we use just plain ldap (not using openssl), the connection times out
rather quickly, and pam tries the next authentication method which works
as expected, and the problem can be fixed. But unfortunately that also opens
up some security risks, since we can't be sure we connect to the proper ldap
server.
--
Martin Sandsmark
IT-Komiteen, Samfundet
"Capital letters were always the best way of dealing
with things you didn't have a good answer to."
- Douglas Adams
3:08 p.m.
Martin Sandsmark <sandsmark(a)samfundet.no> writes:
If we use just plain ldap (not using openssl), the connection times
out
rather quickly, and pam tries the next authentication method which works
as expected, and the problem can be fixed. But unfortunately that also
opens up some security risks, since we can't be sure we connect to the
proper ldap server.
I have had this problem with other applications that use OpenSSL, and the
last time I looked at one in detail, figuring out how to get OpenSSL to
time out properly when it's in the middle of its own internal handling was
surprisingly tricky. However, I don't know if this has already been dealt
with in OpenLDAP's client libraries somehow.
--
Russ Allbery (rra(a)stanford.edu) <http://www.eyrie.org/~eagle/>
4:24 p.m.
Russ Allbery wrote:
Martin Sandsmark<sandsmark(a)samfundet.no> writes:
> If we use just plain ldap (not using openssl), the connection times out
> rather quickly, and pam tries the next authentication method which works
> as expected, and the problem can be fixed. But unfortunately that also
> opens up some security risks, since we can't be sure we connect to the
> proper ldap server.
I have had this problem with other applications that use OpenSSL, and the
last time I looked at one in detail, figuring out how to get OpenSSL to
time out properly when it's in the middle of its own internal handling was
surprisingly tricky. However, I don't know if this has already been dealt
with in OpenLDAP's client libraries somehow.
The library is supposed to do all the right calls to deal with asynchronous
I/O but we never actually enable it in the OpenSSL layer. If you look at the
OpenSSL mailing list archives you'll see long discussions to the effect that
asynchronous I/O with OpenSSL is tricky/unsafe/broken.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
5782
days inactive
5783
days old
openldap-technical@openldap.org
2 comments
3 participants
participants (3)
-
Howard Chu -
Martin Sandsmark -
Russ Allbery