[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Spurious Start TLS failed errors on proxyed bind OpenLDAP 2.4.40 [possible cause found]



--On Monday, January 28, 2019 6:47 PM +0200 Janne Peltonen <janne.peltonen@helsinki.fi> wrote:

Next, we tried Unto Sten's suggestion: we confirmed that the "timeout"
variable is zero, so we go into the "else" branch he mentioned; then
instead of calling the macro in the else branch, we just directly set
tv.sec = 3 and tv.usec = 0 (a quick and dirty hack, I know). After that,
we were no longer able to get any Start TLS failed errors on the proxy,
and all proxy binds were completed succesfully. To make sure, we
downgraded the proxy again, and sure enough, the Start TLS failed
errors reappeared, or rather, we began to have some of them again.
Upgraded again, and no errors at all.

To us, this really seems as if the root of the problem were that the
starttls timeout ends up being 0.1 seconds, which is too short if
there're any latencies in the network. What would be the correct place
to fix this?  It appears to me that you should be able to say "timeout
extended=5" or something similar in a config file, but in
back-ldap/config.c the "extended" timeout option is commented out as
unimplemented. So, what would be required to implement it?

Relevant files:

back-ldap/bind.c (ldap_back_start_tls function, setting of tv using
LDAP_BACK_TV_SET macro)
back-ldap/back-ldap.h (defining the LDAP_BACK_TV_SET to basically set
the timeout to 0.1 s)
back-ldap/config.f (definition of timeout_table)

Please file an issue report at http://www.openldap.org/its/ so this can be tracked and resolved.

Thanks!

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>