** Description changed: + [Impact] + ======== + When connecting to an LDAP server with TLS, ldap_search_ext can hang if during the initial TLS handshake a signal is received by the process. The cause of this bug is the same as - https://bugs.openldap.org/show_bug.cgi?id=8650 which was fixed in - https://git.openldap.org/openldap/openldap/-/commit/735e1ab and was - released as part of version 2.4.50. This bug effects Ubuntu 20.04 LTS - and potentially earlier Ubuntu releases. Later Ubuntu releases use an - openldap version that is at least 2.4.50 and are therefore not affected. + https://bugs.openldap.org/show_bug.cgi?id=8650. In our case this bug cause failures in the SSSD LDAP backend at least once per day, resulting in authentication errors followed by a sssd_be + restart after a timeout has been hit. + + + [Test Plan] + =========== + + When using openldap on 20.04, this bug causes failures in the SSSD LDAP + backend, resulting in authentication errors followed by a sssd_be restart after a timeout has been hit: Mar 19 19:05:31 mail auth[867454]: pam_sss(dovecot:auth): received for user redacted: 4 (System error) Mar 19 19:05:32 mail sssd_be[867455]: Starting up + + With the patched version, this should no longer be a problem. + + + [Where Problems Could Occur] + ============================ + + With this patch applied, there may be few edge cases in (and varying + b/w) different versions of GnuTLS. And also some bits that are discussed + in https://bugs.openldap.org/show_bug.cgi?id=8650. + + But that said, the patched version is already being run in production + for over two weeks time (at the time of writing - 07/04/21). So I + believe the SRU will clearly benefit from this and has lower risk of + regression. + + + [More Info] + =========== A reduced version of the patch linked above can be found attached to this bug report. This patch has been applied to version 2.4.49+dfsg- 2ubuntu1.7 and has been running in production for approximately a week and the issue has no longer occurred. No other issues have appeared during this period. - - As this bug affects all systems using LDAP with TLS, I suggest that the - fix for this bug is ported to Ubuntu 20.04 LTS and potentially earlier - versions.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1921562 Title: Intermittent hangs during ldap_search_ext when TLS enabled Status in openldap: Fix Released Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Focal: In Progress Bug description: [Impact] ======== When connecting to an LDAP server with TLS, ldap_search_ext can hang if during the initial TLS handshake a signal is received by the process. The cause of this bug is the same as https://bugs.openldap.org/show_bug.cgi?id=8650. In our case this bug cause failures in the SSSD LDAP backend at least once per day, resulting in authentication errors followed by a sssd_be restart after a timeout has been hit. [Test Plan] =========== When using openldap on 20.04, this bug causes failures in the SSSD LDAP backend, resulting in authentication errors followed by a sssd_be restart after a timeout has been hit: Mar 19 19:05:31 mail auth[867454]: pam_sss(dovecot:auth): received for user redacted: 4 (System error) Mar 19 19:05:32 mail sssd_be[867455]: Starting up With the patched version, this should no longer be a problem. [Where Problems Could Occur] ============================ With this patch applied, there may be few edge cases in (and varying b/w) different versions of GnuTLS. And also some bits that are discussed in https://bugs.openldap.org/show_bug.cgi?id=8650. But that said, the patched version is already being run in production for over two weeks time (at the time of writing - 07/04/21). So I believe the SRU will clearly benefit from this and has lower risk of regression. [More Info] =========== A reduced version of the patch linked above can be found attached to this bug report. This patch has been applied to version 2.4.49+dfsg- 2ubuntu1.7 and has been running in production for approximately a week and the issue has no longer occurred. No other issues have appeared during this period. To manage notifications about this bug go to: https://bugs.launchpad.net/openldap/+bug/1921562/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
