Failure to reconnect to ldaps server after idle_timeout

Matthew Newton mcn4 at leicester.ac.uk
Wed Mar 11 15:48:22 CET 2015


On Wed, Mar 11, 2015 at 09:13:20AM -0400, Alan DeKok wrote:
> 
>   It’s a bug in how libldap uses NSS.  Some of that is the NSS
>   patch.  Some of that is the libldap code.
> 
>   Libldap has no “initialize library” function.  As a result,
>   any initialization is done by various ad-hoc heuristics.
>   Libldap has no “close library” function.  As a result, any
>   cleanup is done by various ad-hoc heuristics.  These
>   heuristics can get things wrong, and can cause your program to
>   crash.

Oh nasty. That's exactly what I've just been through with the
Samba guys. I did a patch that used thread local storage, but then
in the best case you end up likely to leak memory because the
right destructor isn't called, or worse the library is unloaded
but there are still pointers left for destructor functions in some
threads, leading to crashes.

Solution? Nice clean initialise and free functions, then pass the
context into everything you use. All the messy heuristics go out
of the window and everyone is happy.

Agreed, there is no real solution for FreeRADIUS to work around it
in this case; the library needs fixing.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list