[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Timeouts over LDAPS

To: Russ Allbery <rra@stanford.edu>
Subject: Re: Timeouts over LDAPS
From: Howard Chu <hyc@symas.com>
Date: Tue, 05 Feb 2008 16:24:45 -0800
Cc: openldap-technical@openldap.org
In-reply-to: <87prvbrogv.fsf@windlord.stanford.edu>
References: <20080205190044.GA1955@samfundet.no> <87prvbrogv.fsf@windlord.stanford.edu>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9b3pre) Gecko/2008013117 SeaMonkey/2.0a1pre

Russ Allbery wrote:

Martin Sandsmark<sandsmark@samfundet.no>  writes:

If we use just plain ldap (not using openssl), the connection times out
rather quickly, and pam tries the next authentication method which works
as expected, and the problem can be fixed. But unfortunately that also
opens up some security risks, since we can't be sure we connect to the
proper ldap server.


I have had this problem with other applications that use OpenSSL, and the
last time I looked at one in detail, figuring out how to get OpenSSL to
time out properly when it's in the middle of its own internal handling was
surprisingly tricky.  However, I don't know if this has already been dealt
with in OpenLDAP's client libraries somehow.

The library is supposed to do all the right calls to deal with asynchronous I/O but we never actually enable it in the OpenSSL layer. If you look at the OpenSSL mailing list archives you'll see long discussions to the effect that asynchronous I/O with OpenSSL is tricky/unsafe/broken.

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/

References:
- Timeouts over LDAPS
  - From: Martin Sandsmark <sandsmark@samfundet.no>
- Re: Timeouts over LDAPS
  - From: Russ Allbery <rra@stanford.edu>

Prev by Date: Re: Timeouts over LDAPS
Next by Date: openldap - missing modules - how / where to find them
Index(es):
- Chronological
- Thread