Ping! OpenVPN with LDAP+TLS authentication runs into file exhaustion
simon at josefsson.org
Thu Nov 5 09:43:29 GMT 2009
Lars Ellenberg <lars.ellenberg at linbit.com> writes:
> OpenVPN with LDAP+TLS authentication runs into file exhaustion
>> Issue is only happening when LDAP is used with TLS support. On every
>> authentication, a file handle to /dev/urandom is created but never
>> Because the handle to /dev/urandom is never released, after some times
>> the service had been running, users will fail to authentication because
>> the backend is not able to open new file handles on /dev/urandom.
> As there has been absolutely no reaction yet, maybe you just missed it.
> Please have a look again at
Did you miss this discussion?
In short, dlopen/dlclose usage of libgcrypt is not supported.
Possibly GnuTLS could use Nettle as a the crypto library instead of
libgcrypt. I'll look into this.
> Where I explain
> * the root cause,
> * possible workarounds,
> (one-line change to openvpn,
> or about 6 line change to libpam-ldap), and
> * a possible fix for this issue
> (slightly more involved libgcrypt stuff).
More information about the Ubuntu-devel-discuss