OpenLDAP --enable-spasswd, SASL, PAM - not threadsafe?

[Phil Mayers <p.mayers@ic.ac.uk>]

All (apologies for the cross-posting - I am unsure which piece of
software the "fault" arises from),

In OpenLDAP 2.0.25 (./configure --enable-spasswd --with-tls
--enable-wrappers) (RedHat 7.1, stock system glibc 2.2.4-24) I'm using
accounts of the form:

dn: uid=user,ou=People,dc=domain,dc=com
objectClass: top
objectClass: posixAccount
cn: user
uid: user
uidNumber: 100
gidNumber: 100
gecos: User, Mr. A
loginShell: /bin/sh
homeDirectory: /home/user
userPassword: {SASL}user@DOMAIN.COM

Then, in /usr/lib/sasl/slapd.conf:

pwcheck_method: PAM

Then, in /etc/pam.d/ldap:

#%PAM-1.0
auth        required      /lib/security/pam_krb5.so no_user_check
session     required      /lib/security/pam_permit.so

This works - password checks are successfully passed off against our
Kerberos realm.

However, it appears to fail under load, possibly due to threading issues
(a "ps faux" and "gdb /usr/local/libexec/slapd; attach PID; thread apply
all bt" are attached)

Thread 7 (line 219 of attached file) appears to be blocked inside the
SASL library, loading the PAM library. I see three possibilities:

1) SASL isn't thread-safe, and OpenLDAP should be appropriately
protecting this bit of code, and isn't
2) PAM isn't thread-safe, and SASL should be locking
3) The pam_krb5 (or kerberos) libraries aren't thread safe

For now, I'm going to try dropping back to a single-threaded slapd, but
any suggestions would be welcome.

-- 

Regards,
Phil

+------------------------------------------+
| Phil Mayers                              |
| Network & Infrastructure Group           |
| Information & Communication Technologies |
| Imperial College                         |
+------------------------------------------+