Strange TLS issue while upgrading from openldap 2.3 to 2.4

Mon, 25 Jun 2012 05:02:18 -0700 

Hello list.
I recently faced a strange issue while upgrading from openldap 2.3 to 2.4 (from centos 5.7 to 6.2, actually): the change was transparent for every applications excepted Zimbra, for which any authentication attempt was suffering from an unexplained 30s additional delay. Just switching from explicit TLS usage on port 389 to explicit SSL usage on port 636 was enough to fix the issue. 


The logs shows than the delay occurs between the moment where the bind 
operation succeed, and the moment the client connection get closed:



Jun 14 11:56:04 ildapslave2 slapd[16618]: conn=2787 fd=135 ACCEPT from 
IP=128.93.142.13:41191 (IP=0.0.0.0:389)
Jun 14 11:56:04 ildapslave2 slapd[16618]: conn=2787 op=0 EXT 
oid=1.3.6.1.4.1.1466.20037

Jun 14 11:56:04 ildapslave2 slapd[16618]: conn=2787 op=0 STARTTLS

Jun 14 11:56:04 ildapslave2 slapd[16618]: conn=2787 op=0 RESULT oid= 
err=0 text=
Jun 14 11:56:04 ildapslave2 slapd[16618]: conn=2787 fd=135 TLS 
established tls_ssf=256 ssf=256
Jun 14 11:56:04 ildapslave2 slapd[16618]: conn=2787 op=1 BIND 
dn="uid=fauge00C,ou=people,dc=inria,dc=fr" method=128
Jun 14 11:56:04 ildapslave2 slapd[16618]: conn=2787 op=1 BIND 
dn="uid=fauge00C,ou=people,dc=inria,dc=fr" mech=SIMPLE ssf=0
Jun 14 11:56:04 ildapslave2 slapd[16618]: conn=2787 op=1 RESULT tag=97 
err=0 text=

...

Jun 14 11:56:34 ildapslave2 slapd[16618]: conn=2787 fd=135 closed 
(connection lost)



Before the upgrade, the connection get closed immediatly, and there is 
no such delay.



Using higher logging level doesn't provide additional useful details, 
excepted maybe more details about connection termination:
Jun 14 12:53:21 ildapslave2 slapd[7156]: connection_read(109): checking 
for input on id=1135
Jun 14 12:53:21 ildapslave2 slapd[7156]: ber_get_next on fd 109 failed 
errno=0 (Success)
Jun 14 12:53:21 ildapslave2 slapd[7156]: connection_read(109): input 
error=-2 id=1135, closing.



I'm aware than this behaviour change may actually come from underlying 
libraries, such as bdb for instance, rather than openldap itself, but 
that's still quite a curious issue. Does anyone have a clue about this 
problem ?


--

The more cordial the buyer's secretary, the greater the odds that the 
competition already has the order

                -- Murphy's Laws on Technology n°38























					Reply via email to