[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Strange TLS issue while upgrading from openldap 2.3 to 2.4

Subject: Re: Strange TLS issue while upgrading from openldap 2.3 to 2.4
From: Guillaume Rousse <guillomovitch@gmail.com>
Date: Thu, 28 Jun 2012 12:34:07 +0200
Cc: openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:cc:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=t7fADD7LVq6uHRRmGk9SWglt3M8S1xAE1ZWCJwyE6Zw=; b=eibQ84RV7G6YKX7NzbTFwua78YiGnSI6l+pdZdhMYFC6uMkcPBaAzJqP/g1qapFjSG rx6cz43cKcIVZbfcgaxNnn+OMmMLZUWfGP2+u8LpXUgb7YRZxh5PkYDqb8mZAEtnDiap JxQMPVbQYmA/YARlCufxu1xpe9AqCYI0/onzDOweqn565mrJAUG29T4uv+cOTxD/8eAD ejv2sHhutSOdAaIbuRfgdUk5l99njCunkhYdk9LgAEPoozf5/XjPknmHkBkc94+J7EvQ JtAv6eqvQoU37h643rMXghDYWeFkGhf4Kc81tsy6d28S4maj1tF/v6ROYbHZ+ugfOiqs di7g==
In-reply-to: <0B15C7C27B9C7772F0633190@[192.168.1.38]>
References: <4FE84F9C.5080302@gmail.com> <6EAAAEC21E699D0AFDA013BD@[192.168.1.38]> <4FE97285.4010608@gmail.com> <17958D3A6B91B35DAC7D509A@[192.168.1.38]> <4FEB0B35.1000607@gmail.com> <0B15C7C27B9C7772F0633190@[192.168.1.38]>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:13.0) Gecko/20120616 Thunderbird/13.0.1

Le 28/06/2012 01:41, Quanah Gibson-Mount a écrit :

--On Wednesday, June 27, 2012 3:31 PM +0200 Guillaume Rousse
<guillomovitch@gmail.com> wrote:

Sorry, I'm not a Zimbra admin, and I may have been confusing in my
explanations. The problem occurs with Zimbra acting as an LDAP client
against an external LDAP server, performing a bind operation for
authenticating users, with the following behaviour:

Zimbra against on openldap 2.3.x server, with TLS on port 389: OK
Zimbra against on openldap 2.4.x server, on port 636: OK
Zimbra against on openldap 2.4.x server, with TLS on port 389: 30s delay


Ok, so what you are saying is:

You upgraded your OS to CentOS6

You use external auth

The external auth from CentOS6 to your own LDAP server shows a 30 second
delay on closing.

Almost :)

I upgraded the OS of the machine running the LDAP server, the zimbraserver didn't change. So, that's the external auth from a RHEL 5.8system running Zimbra 7, against a Centos 6.2 system running OpenLDAP2.4.24.

That sounds like a bug in Java/JNDI.  I did see some 30 second issues
with RHEL6, but it was with initiating a connection, not closing it.

Indeed. I don't see why either the ldap server or the ldap client wouldneed to perform any DNS query once the connection has been accepted, andthe TLS negociation was successful.

You can see more about that at
<https://stomp.colorado.edu/blog/blog/2011/06/29/on-rhel-6-ssh-dns-firewalls-and-slow-logins/>


I would note that JNDI behavior varies based on startTLS vs SSL on port
636 as well.

Interesting. We tried the workaround, on both side (openldap server,then zimbra server), without any behaviour change.

The only thing I'm unsure, tough, is about the moment where a change inresolver configuration has an effect. As the resolver is technicaly apart of the glibc, and can never get reloaded, I guess it uses the filetimestamp to detect file modification and reload it immediatly.

Also, I'll try to find some other example of java-based applicationsacting as LDAP client, in our environement

--
BOFH excuse #443:

Zombie processes detected, machine is haunted.

References:
- Strange TLS issue while upgrading from openldap 2.3 to 2.4
  - From: Guillaume Rousse <guillomovitch@gmail.com>
- Re: Strange TLS issue while upgrading from openldap 2.3 to 2.4
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: Strange TLS issue while upgrading from openldap 2.3 to 2.4
  - From: Guillaume Rousse <guillomovitch@gmail.com>
- Re: Strange TLS issue while upgrading from openldap 2.3 to 2.4
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: Strange TLS issue while upgrading from openldap 2.3 to 2.4
  - From: Guillaume Rousse <guillomovitch@gmail.com>
- Re: Strange TLS issue while upgrading from openldap 2.3 to 2.4
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: memberOf data in new replica servers 2.4.31
Next by Date: Memberof overlay with posixGroup
Index(es):
- Chronological
- Thread