[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8022) Backend Meta does not work with ssl-backends

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8022) Backend Meta does not work with ssl-backends
From: hyc@symas.com
Date: Mon, 12 Jan 2015 22:36:27 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Dirk Kastens wrote:
> Hi,
>
>> How about running ldapsearch with -d7, and also the corresponding search
>> against back-meta using slapd -d7. Upload the output somewhere that we
>> can review.
>
> See ftp.openldap.org/incoming/...
>
> You will find the following files:
>
> ldapsearch_direct: directly searching the source server with ssl
>
> ldapsearch_meta_starttls: searching the meta directory where the source
> server is connected via starttls (this works)
>
> ldapsearch_meta_ssl: searching the meta directory where the source
> server is connected via ssl (this doesn't work)
>
> slapd_meta_starttls: meta directory where the source server is connected
> via starttls (this works)
>
> slapd_meta_ssl: meta directory where the source server is connected via
> ssl (this doesn't work). slapd hangs after searching and has to be
> killed with "kill -4".
>
> Hope this helps.
>
I wasn't able to exactly reproduce the problem shown in your logs, but I 
did find a couple of problems here. For ldaps:// URLs, the back-meta 
config parser was ignoring the TLS settings. As such, it wasn't able to 
establish any ldaps session at all, unless there were usable settings in 
ldap.conf/ldaprc/etc... Also, back-meta was specifying that libldap 
should open its outbound connections asynchronously, and this wasn't 
working properly if the async connection succeeded immediately. (I.e., 
when told to open async, libldap would expect the connection to take a 
long time to complete, and defer the rest of initialization to a 
following library call. If it completed immediately, libldap would 
mis-handle the rest of initialization.)

I've pushed fixes for both of these problems to git master and back-meta 
works on ldaps:// for me now. Since I didn't reproduce your symptoms, I 
have no idea if this will improve things for you or not. Please test and 
follow up, thanks.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: (ITS#7969) LMDB: Globally shared fields of meta-data are not 'volatile'.
Next by Date: Re: (ITS#7969) LMDB: Globally shared fields of meta-data are not 'volatile'.
Index(es):
- Chronological
- Thread