Hi!
I have been digging on this issue and I found the ultimate cause of this
problem.
When sudo/su/passwd/<insert-any-setuid-program-that-calls-getpwent()> on
a system configured with PAM/LDAPs it chains into libldap, which uses
GnuTLS/libgcrypt to manage the TLS channel.
The problem is that when OpenLDAP calls gnutls_global_init(), this
function does nothing because OpenLDAP had previously already
initialized libgcrypt at some point on the stack (probably by mistake).
For the record, there is no mistake in OpenLDAP. And also for the record, we
on the OpenLDAP Project warned you guys multiple times that GnuTLS/libgcrypt
are broken by design, and should not be used. (E.g. as I noted here
https://bugs.launchpad.net/debian/+source/sudo/+bug/423252/comments/62)
The libgcrypt documentation states in section 2.5 that you *must* set the
thread callbacks before calling *any* other libgcrypt functions. libldap's
code does that. It's not our fault that libgcrypt's design is so broken that
even when you use it as documented it doesn't work. We've been telling you for
*years* that GnuTLS is broken by design.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
