I've inherited a setup with authentication information on a local
freeradius 1.0.5 server and OpenLDAP (with pthreads) configured to
authenticate to SASL (v1 interface), which in turn uses PAM, which in
turn is configured to check passwords with pam_radius_auth 1.3.16. All
of this is on Linux RHEL3.
This setup regularly fails under any sort of concurrency. Threading
issues seem one likely reason. pam_radius_auth.c hasn't been touched in
a while and hasn't had the same attention to thread safety as the core
freeradius code.
Has anyone else been down the road of cleaning up the calls to
gethostbyname, variable scoping, etc? I know enough to recognize the
problem, but don't really trust myself to fix it.
Obvious workarounds for me include switching from SASL1/PAM to SASL2
and saslauthd; de-threading OpenLDAP (ick); or migrating the
authoritative password store out of Radius entirely. But all of these
have performance or operational issues here. I'd really like to get
pam_radius_auth working as my predecessors (wrongly) thought it would.