[Date Prev][Date Next] [Chronological] [Thread] [Top]

Strange TLS issue while upgrading from openldap 2.3 to 2.4

To: openldap-technical@openldap.org
Subject: Strange TLS issue while upgrading from openldap 2.3 to 2.4
From: Guillaume Rousse <guillomovitch@gmail.com>
Date: Mon, 25 Jun 2012 13:46:36 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=NV8Vb7s+Kn0YLaPPbObcxdGj8Lss3Nn+pF6FmDI+3pI=; b=AFO8slqSZ13WB9SybfM3R1QvHGFTm5O+DZGESD7Dqop73JBALI20w6rGlPBKwElYpM 1EDE4oRL1juRJzr1K7xr8kcQq9wFOyLgygS5OPJ65k+UJzXqEG2JygAIs07QfhU5MTEl n2m0FQ+TkUb/GthkeewDHrwhUS/4LCSNebULDw1qfFUACygWYg5mOXibWTB1wTXAmsno uOLVyoz6GAW9SnM3tfBP2Tb8JJO0Vxq4/u4kuV8Soyu0ss7seqNKkrUNfAw6srVTLS6+ J86tEi4gB8EBJ6iIEFVQn9RVmGlRQhI7kqVDM2IQ3LqqLoA2o7HxIKYq2tlF37cPC1/9 sEUQ==
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:13.0) Gecko/20120616 Thunderbird/13.0.1

Hello list.

I recently faced a strange issue while upgrading from openldap 2.3 to2.4 (from centos 5.7 to 6.2, actually): the change was transparent forevery applications excepted Zimbra, for which any authentication attemptwas suffering from an unexplained 30s additional delay. Just switchingfrom explicit TLS usage on port 389 to explicit SSL usage on port 636was enough to fix the issue.

The logs shows than the delay occurs between the moment where the bindoperation succeed, and the moment the client connection get closed:

Jun 14 11:56:04 ildapslave2 slapd[16618]: conn=2787 fd=135 ACCEPT fromIP=128.93.142.13:41191 (IP=0.0.0.0:389)Jun 14 11:56:04 ildapslave2 slapd[16618]: conn=2787 op=0 EXToid=1.3.6.1.4.1.1466.20037

Jun 14 11:56:04 ildapslave2 slapd[16618]: conn=2787 op=0 STARTTLS

Jun 14 11:56:04 ildapslave2 slapd[16618]: conn=2787 op=0 RESULT oid=err=0 text=Jun 14 11:56:04 ildapslave2 slapd[16618]: conn=2787 fd=135 TLSestablished tls_ssf=256 ssf=256Jun 14 11:56:04 ildapslave2 slapd[16618]: conn=2787 op=1 BINDdn="uid=fauge00C,ou=people,dc=inria,dc=fr" method=128Jun 14 11:56:04 ildapslave2 slapd[16618]: conn=2787 op=1 BINDdn="uid=fauge00C,ou=people,dc=inria,dc=fr" mech=SIMPLE ssf=0Jun 14 11:56:04 ildapslave2 slapd[16618]: conn=2787 op=1 RESULT tag=97err=0 text=

...

Jun 14 11:56:34 ildapslave2 slapd[16618]: conn=2787 fd=135 closed(connection lost)

Before the upgrade, the connection get closed immediatly, and there isno such delay.

Using higher logging level doesn't provide additional useful details,excepted maybe more details about connection termination:Jun 14 12:53:21 ildapslave2 slapd[7156]: connection_read(109): checkingfor input on id=1135Jun 14 12:53:21 ildapslave2 slapd[7156]: ber_get_next on fd 109 failederrno=0 (Success)Jun 14 12:53:21 ildapslave2 slapd[7156]: connection_read(109): inputerror=-2 id=1135, closing.

I'm aware than this behaviour change may actually come from underlyinglibraries, such as bdb for instance, rather than openldap itself, butthat's still quite a curious issue. Does anyone have a clue about thisproblem ?

--

The more cordial the buyer's secretary, the greater the odds that thecompetition already has the order

		-- Murphy's Laws on Technology n°38

Follow-Ups:
- Re: Strange TLS issue while upgrading from openldap 2.3 to 2.4
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: Strange TLS issue while upgrading from openldap 2.3 to 2.4
  - From: Christopher Wood <christopher_wood@pobox.com>

Prev by Date: Re: Ldap filter to get group members
Next by Date: Re: Ldap filter to get group members
Index(es):
- Chronological
- Thread