[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS_RANDFILE not recognized in ldap.conf/.ldaprc (ITS#733)

At 06:40 PM 9/12/00 +0000, michael@weiser.saale-net.de wrote:
>Full_Name: Michael Weiser
>Version: cvs 20000912
>OS: irix 6.5
>URL: ftp://ftp.openldap.org/incoming/michael-weiser-20000912-egd.patch
>Submission from: (NULL) (
>TLS_RANDFILE in ldap.conf and/or ~/ldaprc doesn't make libldap contact the
>egd since a.) the configs are read *after* the RNG is seeded and b.)
>TLS_RANDFILE is marked as user-only. While the former seems to be only an
>oversight the latter may make sense in respect of overall security but is
>bad for setting up a configuration working oob for the users of my irix 6.5
>box. I want to run egd and/or prngd as system-wide entropy gathering daemons
>which all tools connect to automatically.

It wasn't an oversight.  It was done purposely as sharing (static)
randfiles is not wise from a security standpoint.  If a system
wise source of entropy is available which can be read using read(2),
then it should be configured as the URANDOM_DEVICE.

        env CPPFLAGS="-DURANDOM_DEVICE=/tmp/egd/random" ./configure

>I hope the attached patch fixes this although I don't have any idea whether
>and how the relocation of ldap_pvt_tls_init() affects the calls between the
>new and old location. It works for me (tm).

I would think that both TLS and SASL initialization should be done
after scanning ldap.conf/.ldaprc....  so this change appears to be