[Date Prev][Date Next] [Chronological] [Thread] [Top]

Digest-MD5 SASL binds (solved)

To: openldap-software@OpenLDAP.org
Subject: Digest-MD5 SASL binds (solved)
From: "Dr. Lars Hanke" <lars@lhanke.de>
Date: Wed, 16 Feb 2005 23:15:08 +0100
Content-disposition: inline
In-reply-to: <200502151009.43444.lars@lhanke.de>
Organization: Microsystem Accessory Consult
References: <200502131027.47095.lars@lhanke.de> <200502131929.34239.peter@adpm.de> <200502151009.43444.lars@lhanke.de>
User-agent: KMail/1.6.2

Hi

I'd just like to close this thread by reporting the actual cause and the 
solution:

> However, the main reason for all the fuzz had been that I get deadlocks when 
> trying Digest-MD5 SASL binds. The 2.2.23 slapd does not flood the logs with 

The real issue had been that in fact both machines involved were bored test 
machines, which have everything in memory and all what's happening is me 
typing through a ssh terminal.

This does not yield significant entropy and /dev/random locks. The longer the 
nonces or session keys the more probable the deadlocks, i.e. TLS and 
DIGEST-MD5 is a killer!

Actually, /dev/random is an overkill for session keys, in particular 
since /dev/urandom is a really good implementation (analysed it in 2.4.18), 
unless you plan to set up a CA producing some 1000 RSA keys a day.

Recompiling SASL with --devrandom=/dev/urandom solves the problem, but the 
following is easier for non CA systems:

rm -f /dev/random 
ln -s /dev/urandom /dev/random 

man urandom to revert, if you would

Thanks for all your support,
 - lars.

References:
- Library compatibility 2.1x 2.2.x
  - From: "Dr. Lars Hanke" <lars@lhanke.de>
- Re: Library compatibility 2.1x 2.2.x
  - From: Peter Marschall <peter@adpm.de>
- Re: Library compatibility 2.1x 2.2.x / Digest-MD5 SASL binds
  - From: "Dr. Lars Hanke" <lars@lhanke.de>

Prev by Date: RE: real basic questions for openldap...
Next by Date: Re: R: slapdd - not enough space
Index(es):
- Chronological
- Thread