[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

pam_ldap connecting via TLS





OpenSSL:  0.9.6c
OpenLDAP: 2.0.23
PAM_LDAP: pam_ldap-140.tgz  from http://www.padl.com
IRIX:          6.5.15.

Here is my situation.  I have an LDAP server to which I am forcing the use of
TLSv1.  I have successfully compiled the pam_ldap module and installed it.  When
I tried to write an application that had to be setuid root, (just like
/bin/passwd), I found that my application would not successfully do a TLS
connect to the LDAP server.  I had even set my RANDFILE to point to a file that
had already been filled with entropy, but to no avail.

After looking around at the source code to OpenSSL-0.9.6c, I found to my
amazement that if your   uid != euid   OR   gid != egid,  then it will not
attempt to read from either RANDFILE  or HOME environment variables.  This is
the cause of my not being able to successfully do a  TLSv1/SSLv3  connect to my
LDAP server.

I have found a solution to this, but I would like to see what everyone thinks
about it.  Since I can't use the RANDFILE environment variable, I have to use
EGD.  To make pam_ldap use this daemon, I have done the following:

1)  I have added a configuration option to the /etc/ldap.conf  file:   egdsocket
<pathToEgdSocket>
2)  I have added a variable to   struct pam_ldap_config  in pam_ldap.h:    char
*egdsocket.
3)  Diff of   pam_ldap.c:    (See attached file: diff.pam_ldap.c)

     Summary:   Added a call to   ldap_set_option(NULL,
LDAP_OPT_X_TLS_RANDOM_FILE, session->conf->egdsocket)   so that OpenSSL will
have a starting point of randomness.


Please note:  This problem only will manifest itself in setuid programs like
/bin/passwd AND you are using TLS to connect to your LDAP server.



Darin Broady
dbroady@lexmark.com
Lexmark International, Inc.

Attachment: diff.pam_ldap.c
Description: Binary data


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []