[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8797) improper use of gnutls causes segfault

lukas@selfnet.de wrote:
>> PAM should be using nss-pam-ldapd, not calling libldap directly. This
>> is an architectural flaw in both GnuTLS and PAM, not an OpenLDAP bug.
>> This ITS is invalid.
> It's called _lib_ldap after all, so are other projects linking against /
> dlopen()ing libldap doing the wrong thing?

PAM should not be polluting the application namespace with libraries that the 
application may itself be using. The same type of problems arise if e.g. the 
application uses Kerberos and PAM also uses Kerberos, and the application and 
PAM want to use different configurations.

The only correct way for a PAM module to work is to never expose its 
underlying libraries to the calling application.

This is not an OpenLDAP issue.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/