[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS_RANDFILE not recognized in ldap.conf/.ldaprc (ITS#733)

To: openldap-its@OpenLDAP.org
Subject: Re: TLS_RANDFILE not recognized in ldap.conf/.ldaprc (ITS#733)
From: Kurt@OpenLDAP.org
Date: Tue, 12 Sep 2000 19:07:42 GMT

At 06:40 PM 9/12/00 +0000, michael@weiser.saale-net.de wrote:
>Full_Name: Michael Weiser
>Version: cvs 20000912
>OS: irix 6.5
>URL: ftp://ftp.openldap.org/incoming/michael-weiser-20000912-egd.patch
>Submission from: (NULL) (139.18.25.3)
>
>
>Hello,
>
>TLS_RANDFILE in ldap.conf and/or ~/ldaprc doesn't make libldap contact the
>egd since a.) the configs are read *after* the RNG is seeded and b.)
>TLS_RANDFILE is marked as user-only. While the former seems to be only an
>oversight the latter may make sense in respect of overall security but is
>bad for setting up a configuration working oob for the users of my irix 6.5
>box. I want to run egd and/or prngd as system-wide entropy gathering daemons
>which all tools connect to automatically.

It wasn't an oversight.  It was done purposely as sharing (static)
randfiles is not wise from a security standpoint.  If a system
wise source of entropy is available which can be read using read(2),
then it should be configured as the URANDOM_DEVICE.

Try:
        env CPPFLAGS="-DURANDOM_DEVICE=/tmp/egd/random" ./configure

>I hope the attached patch fixes this although I don't have any idea whether
>and how the relocation of ldap_pvt_tls_init() affects the calls between the
>new and old location. It works for me (tm).

I would think that both TLS and SASL initialization should be done
after scanning ldap.conf/.ldaprc....  so this change appears to be
appropriate.

Kurt

Follow-Ups:
- Re: TLS_RANDFILE not recognized in ldap.conf/.ldaprc (ITS#733)
  - From: Michael Weiser <michael@weiser.saale-net.de>

Prev by Date: Fix for "deadlock for the second and other following requests for Windows NT(2000)" (ITS#732)
Next by Date: fixes for cn=Monitor and cn=Config (ITS#734)
Index(es):
- Chronological
- Thread