[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8797) improper use of gnutls causes segfault

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8797) improper use of gnutls causes segfault
From: hyc@symas.com
Date: Tue, 16 Jan 2018 10:51:55 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

lukas@selfnet.de wrote:
>> PAM should be using nss-pam-ldapd, not calling libldap directly. This
>> is an architectural flaw in both GnuTLS and PAM, not an OpenLDAP bug.
>> This ITS is invalid.
> 
> It's called _lib_ldap after all, so are other projects linking against /
> dlopen()ing libldap doing the wrong thing?

PAM should not be polluting the application namespace with libraries that the 
application may itself be using. The same type of problems arise if e.g. the 
application uses Kerberos and PAM also uses Kerberos, and the application and 
PAM want to use different configurations.

The only correct way for a PAM module to work is to never expose its 
underlying libraries to the calling application.

This is not an OpenLDAP issue.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: (ITS#8797) improper use of gnutls causes segfault
Next by Date: (ITS#8798) slapd-tester tools improvements
Index(es):
- Chronological
- Thread