[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Strange TLS issue while upgrading from openldap 2.3 to 2.4

To: Quanah Gibson-Mount <quanah@zimbra.com>
Subject: Re: Strange TLS issue while upgrading from openldap 2.3 to 2.4
From: Guillaume Rousse <guillomovitch@gmail.com>
Date: Wed, 27 Jun 2012 15:31:33 +0200
Cc: openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=2OGooIPInRvSNSLlbKPRbErWfWqseIbxJXXT0M15nO8=; b=xlxrGb2RvNf9YqkHbuyA0CCGTeNGqURYY0lowB2mgldYMERMNrSiF83wvhZRWxxhPh 7pyMpPKC/zBT0bRl9qrBEMhmruABrZ1Ww4NvC3j2bniecucLqX8y5NI/9o/9iOf6hNiA gO3a5iwVROPVtG/fo0buKGV4N6otJuH0FY2VsjVUGIok+H2C4F1cQA/tMp8zeyuAEQS9 QA7tWIOZFnrwq4yijHKvDypOnAvJsnmuLjl/gbUq+arAeYtlfy4rXlgaQSbYhhGhM1EF F0AL621V+zDE+21BQNdfXIpvVD+bxH/U6BlRaQ8ldajml8Da0b7Rl8r59iIb6ZNI2qND XWsA==
In-reply-to: <17958D3A6B91B35DAC7D509A@[192.168.1.38]>
References: <4FE84F9C.5080302@gmail.com> <6EAAAEC21E699D0AFDA013BD@[192.168.1.38]> <4FE97285.4010608@gmail.com> <17958D3A6B91B35DAC7D509A@[192.168.1.38]>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:13.0) Gecko/20120616 Thunderbird/13.0.1

Le 26/06/2012 21:25, Quanah Gibson-Mount a Ãcrit :

--On Tuesday, June 26, 2012 10:27 AM +0200 Guillaume Rousse
<guillomovitch@gmail.com> wrote:

Le 25/06/2012 20:06, Quanah Gibson-Mount a Ãcrit :

--On Monday, June 25, 2012 1:46 PM +0200 Guillaume Rousse
<guillomovitch@gmail.com> wrote:

Hello list.

I recently faced a strange issue while upgrading from openldap 2.3 to
2.4 (from centos 5.7 to 6.2, actually): the change was transparent for
every applications excepted Zimbra, for which any authentication
attempt was suffering from an unexplained 30s additional delay. Just
switching from explicit TLS usage on port 389 to explicit SSL usage on
port 636 was enough to fix the issue.


I would use ldapsearch -d -1 to see what function it was hanging in.

Unfortunatly (sort of), I can't reproduce the issue with any other client
as zimbra itself... ldapsearch works fine, even when run from the same
host as zimbra.


ldapsearch against the zimbra server works fine (no delay on closing)?
Then that would imply the issue is with whatever client is making the
connection to Zimbra.  It looks like slapd is simply detecting the
connection was never closed properly after about 30 seconds, and taking
care of closing it. I don't specifically see any issue here.  Initially
I thought you were saying you were seeing this issue while initiating a
connection, not while closing it.

Sorry, I'm not a Zimbra admin, and I may have been confusing in myexplanations. The problem occurs with Zimbra acting as an LDAP clientagainst an external LDAP server, performing a bind operation forauthenticating users, with the following behaviour:


Zimbra against on openldap 2.3.x server, with TLS on port 389: OK
Zimbra against on openldap 2.4.x server, on port 636: OK
Zimbra against on openldap 2.4.x server, with TLS on port 389: 30s delay

The mail admin is supposed to report a bug to Zimbra support.
--
BOFH excuse #12:

dry joints on cable plug

Follow-Ups:
- Re: Strange TLS issue while upgrading from openldap 2.3 to 2.4
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

References:
- Strange TLS issue while upgrading from openldap 2.3 to 2.4
  - From: Guillaume Rousse <guillomovitch@gmail.com>
- Re: Strange TLS issue while upgrading from openldap 2.3 to 2.4
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: Strange TLS issue while upgrading from openldap 2.3 to 2.4
  - From: Guillaume Rousse <guillomovitch@gmail.com>
- Re: Strange TLS issue while upgrading from openldap 2.3 to 2.4
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: chaining and returning errors
Next by Date: Filter character encoding independent
Index(es):
- Chronological
- Thread