lib:ldb: Don't use RTLD_DEEPBIND by default

It should be off by default, as this is not needed by default. It
crashes named on startup, if bind is built with jemalloc support.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15643

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit dc6927fdca)

lib/ldb/common/ldb_modules.c

@@ -945,7 +945,7 @@ static int ldb_modules_load_path(const char *path, const char *version)
 	int dlopen_flags;
 
 #ifdef RTLD_DEEPBIND
-	bool deepbind_enabled = (getenv("LDB_MODULES_DISABLE_DEEPBIND") == NULL);
+	bool deepbind_enabled = (getenv("LDB_MODULES_ENABLE_DEEPBIND") != NULL);
 #endif
 
 	ret = stat(path, &st);
@@ -981,21 +981,12 @@ static int ldb_modules_load_path(const char *path, const char *version)
 	dlopen_flags = RTLD_NOW;
 #ifdef RTLD_DEEPBIND
 	/*
-	 * use deepbind if possible, to avoid issues with different
-	 * system library variants, for example ldb modules may be linked
-	 * against Heimdal while the application may use MIT kerberos.
+	 * On systems where e.g. different kerberos libraries are used, like a
+	 * mix of Heimdal and MIT Kerberos, LDB_MODULES_ENABLE_DEEPBIND should
+	 * be set to avoid issues.
 	 *
-	 * See the dlopen manpage for details.
-	 *
-	 * One typical user is the bind_dlz module of Samba,
-	 * but symbol versioning might be enough...
-	 *
-	 * We need a way to disable this in order to allow the
-	 * ldb_*ldap modules to work with a preloaded socket wrapper.
-	 *
-	 * So in future we may remove this completely
-	 * or at least invert the default behavior.
-	*/
+	 * By default Linux distributions only have one Kerberos library.
+	 */
 	if (deepbind_enabled) {
 		dlopen_flags |= RTLD_DEEPBIND;
 	}

selftest/selftest.pl

@@ -433,12 +433,6 @@ $ENV{UID_WRAPPER} = 1;
 # We are already hitting the limit, so double it.
 $ENV{NSS_WRAPPER_MAX_HOSTENTS} = 200;
 
-# Disable RTLD_DEEPBIND hack for Samba bind dlz module
-#
-# This is needed in order to allow the ldb_*ldap module
-# to work with a preloaded socket wrapper.
-$ENV{LDB_MODULES_DISABLE_DEEPBIND} = 1;
-
 my $socket_wrapper_dir;
 if ($opt_socket_wrapper) {
 	$socket_wrapper_dir = SocketWrapper::setup_dir("$prefix_abs/w", $opt_socket_wrapper_pcap);

selftest/wscript

@@ -333,9 +333,8 @@ def cmd_testonly(opt):
         asan_options += ":suppressions=${srcdir}/selftest/sanitizer/asan.supp"
         asan_options += " "
 
-        # And we need to disable RTLD_DEEPBIND in ldb and socket wrapper
-        no_leak_check = "LDB_MODULES_DISABLE_DEEPBIND=1 "
-        no_leak_check += "SOCKET_WRAPPER_DISABLE_DEEP_BIND=1"
+        # We need to disable RTLD_DEEPBIND in socket wrapper
+        no_leak_check = "SOCKET_WRAPPER_DISABLE_DEEP_BIND=1"
         no_leak_check += " "
         env.CORE_COMMAND = asan_options + no_leak_check + env.CORE_COMMAND