[Date Prev][Date Next] [Chronological] [Thread] [Top]

Strange TLS issue while upgrading from openldap 2.3 to 2.4



Hello list.

I recently faced a strange issue while upgrading from openldap 2.3 to 2.4 (from centos 5.7 to 6.2, actually): the change was transparent for every applications excepted Zimbra, for which any authentication attempt was suffering from an unexplained 30s additional delay. Just switching from explicit TLS usage on port 389 to explicit SSL usage on port 636 was enough to fix the issue.

The logs shows than the delay occurs between the moment where the bind operation succeed, and the moment the client connection get closed:

Jun 14 11:56:04 ildapslave2 slapd[16618]: conn=2787 fd=135 ACCEPT from IP=128.93.142.13:41191 (IP=0.0.0.0:389) Jun 14 11:56:04 ildapslave2 slapd[16618]: conn=2787 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Jun 14 11:56:04 ildapslave2 slapd[16618]: conn=2787 op=0 STARTTLS
Jun 14 11:56:04 ildapslave2 slapd[16618]: conn=2787 op=0 RESULT oid= err=0 text= Jun 14 11:56:04 ildapslave2 slapd[16618]: conn=2787 fd=135 TLS established tls_ssf=256 ssf=256 Jun 14 11:56:04 ildapslave2 slapd[16618]: conn=2787 op=1 BIND dn="uid=fauge00C,ou=people,dc=inria,dc=fr" method=128 Jun 14 11:56:04 ildapslave2 slapd[16618]: conn=2787 op=1 BIND dn="uid=fauge00C,ou=people,dc=inria,dc=fr" mech=SIMPLE ssf=0 Jun 14 11:56:04 ildapslave2 slapd[16618]: conn=2787 op=1 RESULT tag=97 err=0 text=
...
Jun 14 11:56:34 ildapslave2 slapd[16618]: conn=2787 fd=135 closed (connection lost)

Before the upgrade, the connection get closed immediatly, and there is no such delay.

Using higher logging level doesn't provide additional useful details, excepted maybe more details about connection termination: Jun 14 12:53:21 ildapslave2 slapd[7156]: connection_read(109): checking for input on id=1135 Jun 14 12:53:21 ildapslave2 slapd[7156]: ber_get_next on fd 109 failed errno=0 (Success) Jun 14 12:53:21 ildapslave2 slapd[7156]: connection_read(109): input error=-2 id=1135, closing.

I'm aware than this behaviour change may actually come from underlying libraries, such as bdb for instance, rather than openldap itself, but that's still quite a curious issue. Does anyone have a clue about this problem ?

--
The more cordial the buyer's secretary, the greater the odds that the competition already has the order
		-- Murphy's Laws on Technology n°38