[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Any ways to release START_TLS's random file from Ldap API?
Hi there,
when using ldap_start_tls_s , /dev/urandom is opened but never seems to be close until the program exist,
which causes issues when a program uses pam_ldap in such a way that openvpn does,
e.g loop{
new connection;
dlopen(pamldap);
authenticate user using pam_ldap; // (open /dev/urandom);
dlclose(pamldap); // /dev/urandom is still open
}
Unfortunately, I am not sure if there is a way to close the TLS context from the API, even when unbinding.
For instance, when using the code below, stracing the code will show that /dev/urandom is not close even once finished with LDAP.
============
...
...
open("/etc/hosts", O_RDONLY) = 4
close(4) = 0
open("/etc/ld.so.cache", O_RDONLY) = 4
close(4) = 0
open("/lib/tls/i686/cmov/libnss_dns.so.2", O_RDONLY) = 4
close(4) = 0
close(4) = 0
open("/dev/urandom", O_RDONLY) = 4
open(NULL, O_RDONLY) = -1 EFAULT (Bad address)
close(3) = 0
===========
the ldap tools (ldapsearch....) do close properly /dev/urandom, but they use tool_destroy()/ldap_pvt_tls_destroy() which has not effect when I attempt to forward declare it and use it.
Any hints on how one could close TLS context?
Thanks a mil,
chantra
/*
* compile with
* gcc -o start_tls start_tls.c -lldap
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <ldap.h>
#include <unistd.h>
void
ldap_pvt_tls_destroy( void );
void usage(const char *name){
fprintf(stderr, "USAGE: %s ldap://host\n", name);
}
int main(int argc, char **argv){
char uri[BUFSIZ];
LDAP *ldp;
int rc;
int ldap_version = 3;
LDAPControl *serverctrls;
LDAPControl *clientctrls;
if(argc!=2){
usage(argv[0]);
exit(1);
}
strcpy(uri, argv[1]);
rc = ldap_initialize(&ldp, uri);
if(rc != LDAP_SUCCESS){
fprintf(stderr, "ERROR: ldap_initialize returned (%d) \"%s\" : %s\n", rc, ldap_err2string(rc), strerror(errno));
exit(1);
}
rc = ldap_set_option(ldp, LDAP_OPT_PROTOCOL_VERSION, &ldap_version);
if(rc != LDAP_OPT_SUCCESS){
fprintf(stderr, "ERROR: ldap_set_option returned (%d) \"%s\"\n", rc, ldap_err2string(rc));
exit(1);
}
rc = ldap_start_tls_s(ldp, &serverctrls, &clientctrls);
if(rc != LDAP_SUCCESS){
fprintf(stderr, "ERROR: ldap_start_tls_s returned (%d) \"%s\"\n", rc, ldap_err2string(rc));
exit(1);
}
fprintf(stdout, "Successfully started ldap_start_tls_s\n");
rc = ldap_unbind_ext_s(ldp, &serverctrls, &clientctrls);
/*
no effect
ldap_pvt_tls_destroy();
*/
sleep(100);
exit(0);
}
!DSPAM:49e6334790401157261143!
/*
* compile with
* gcc -o start_tls start_tls.c -lldap
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <ldap.h>
#include <unistd.h>
void
ldap_pvt_tls_destroy( void );
void usage(const char *name){
fprintf(stderr, "USAGE: %s ldap://host\n", name);
}
int main(int argc, char **argv){
char uri[BUFSIZ];
LDAP *ldp;
int rc;
int ldap_version = 3;
LDAPControl *serverctrls;
LDAPControl *clientctrls;
if(argc!=2){
usage(argv[0]);
exit(1);
}
strcpy(uri, argv[1]);
rc = ldap_initialize(&ldp, uri);
if(rc != LDAP_SUCCESS){
fprintf(stderr, "ERROR: ldap_initialize returned (%d) \"%s\" : %s\n", rc, ldap_err2string(rc), strerror(errno));
exit(1);
}
rc = ldap_set_option(ldp, LDAP_OPT_PROTOCOL_VERSION, &ldap_version);
if(rc != LDAP_OPT_SUCCESS){
fprintf(stderr, "ERROR: ldap_set_option returned (%d) \"%s\"\n", rc, ldap_err2string(rc));
exit(1);
}
rc = ldap_start_tls_s(ldp, &serverctrls, &clientctrls);
if(rc != LDAP_SUCCESS){
fprintf(stderr, "ERROR: ldap_start_tls_s returned (%d) \"%s\"\n", rc, ldap_err2string(rc));
exit(1);
}
fprintf(stdout, "Successfully started ldap_start_tls_s\n");
rc = ldap_unbind_ext_s(ldp, &serverctrls, &clientctrls);
/*
no effect
ldap_pvt_tls_destroy();
*/
sleep(100);
exit(0);
}