Description of problem: The NSS_InitContext et. al, and their corresponding shutdown functions, are not thread safe. There can only be one thread at a time calling these functions. Protect the calls with a mutex. Create the mutex using a PR_CallOnce to ensure that the mutex is only created once and not used before created. Move the registration of the nss shutdown callback to also use a PR_CallOnce. Removed the call to SSL_ClearSessionCache() because it is always called at shutdown, and we must not call it more than once. Fixed upstream: http://www.openldap.org/its/index.cgi?findid=7022
Steps to reproduce: set up 2 openldap servers - one as a syncrepl provider, and the other as a syncrepl consumer, doing replication over TLS, for example: olcSyncrepl: {0}rid=1 provider=ldap://localhost.localdomain:1389 searchbase=dc =example,dc=com bindmethod=simple binddn=cn=manager,dc=example,dc=com credent ials=secret type=refreshAndPersist retry="1 +" starttls=critical tls_cacert=/ share/junk/cacert.pem where the provider is listening to ldap://localhost.localdomain:1389/ and has a database with a suffix dc=example,dc=com. In my testing, I also had a olcRootDN: cn=Manager,dc=example,dc=com for this database which I also used for syncrepl. Run a client that adds entries to the provider, and run an ldapsearch (using TLS) on the consumer to check that the entries are synced to the consumer. You should notice the crash on the consumer soon after enabling syncrepl to use TLS on the consumer.
Created attachment 518654 [details] backported patch for F14 LDAP_MUTEX_LOCK -> ldap_pvt_thread_mutex_lock LDAP_MUTEX_UNLOCK -> ldap_pvt_thread_mutex_unlock
openldap-2.4.26-2.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/openldap-2.4.26-2.fc16
openldap-2.4.24-4.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/openldap-2.4.24-4.fc15
Package openldap-2.4.24-4.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing openldap-2.4.24-4.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/openldap-2.4.24-4.fc15 then log in and leave karma (feedback).
openldap-2.4.26-3.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/openldap-2.4.26-3.fc16
openldap-2.4.24-5.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/openldap-2.4.24-5.fc15
openldap-2.4.26-5.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
openldap-2.4.24-5.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.