OpenSSL: 0.9.6c OpenLDAP: 2.0.23 PAM_LDAP: pam_ldap-140.tgz from http://www.padl.com IRIX: 6.5.15. Here is my situation. I have an LDAP server to which I am forcing the use of TLSv1. I have successfully compiled the pam_ldap module and installed it. When I tried to write an application that had to be setuid root, (just like /bin/passwd), I found that my application would not successfully do a TLS connect to the LDAP server. I had even set my RANDFILE to point to a file that had already been filled with entropy, but to no avail. After looking around at the source code to OpenSSL-0.9.6c, I found to my amazement that if your uid != euid OR gid != egid, then it will not attempt to read from either RANDFILE or HOME environment variables. This is the cause of my not being able to successfully do a TLSv1/SSLv3 connect to my LDAP server. I have found a solution to this, but I would like to see what everyone thinks about it. Since I can't use the RANDFILE environment variable, I have to use EGD. To make pam_ldap use this daemon, I have done the following: 1) I have added a configuration option to the /etc/ldap.conf file: egdsocket <pathToEgdSocket> 2) I have added a variable to struct pam_ldap_config in pam_ldap.h: char *egdsocket. 3) Diff of pam_ldap.c: (See attached file: diff.pam_ldap.c) Summary: Added a call to ldap_set_option(NULL, LDAP_OPT_X_TLS_RANDOM_FILE, session->conf->egdsocket) so that OpenSSL will have a starting point of randomness. Please note: This problem only will manifest itself in setuid programs like /bin/passwd AND you are using TLS to connect to your LDAP server. Darin Broady dbroady@lexmark.com Lexmark International, Inc.
Attachment:
diff.pam_ldap.c
Description: Binary data
