[email protected] wrote: > On Mon, Jan 15, 2018 at 07:33:52PM +0000, [email protected] wrote: >> During initialization, libldap sets custom gnutls mutex functions: >> https://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=libraries/libldap/tls_g.c;h=adcb6be04076a91d3a0bf94cf8357f4e51f5b9da;hb=HEAD#l113 >> >> PAM uses libldap via dlopen and unloads it when it's done, but openldap >> doesn't >> undo gnutls_global_set_mutex, so any further calls to locking functions >> inside >> openldap will segfault since these function pointers now point to nowhere >> since >> openldap is unloaded. >> >> I encountered this issue in cups since cups uses gnutls itself for the web >> interface and segfaults when it uses gnutls after libldap. > > Thanks for this report. > > This is not the first issue caused by our usage of the custom mutex > functions; see also <https://bugs.debian.org/803197>. > > Removing the custom mutex functions and (for sufficiently recent GnuTLS) > the calls to gnutls_global_{,de}init() looks like a more and more > attractive solution. I am not aware of anyone using OpenLDAP with GnuTLS > on a platform for which GnuTLS lacks built-in mutex functions...
PAM should be using nss-pam-ldapd, not calling libldap directly. This is an architectural flaw in both GnuTLS and PAM, not an OpenLDAP bug. This ITS is invalid. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
