Full_Name: Diana Scannicchio Version: 2.4.39-8.el6 OS: EL6 (SLC6 - Scientific Linux CERN 6) URL: https://scannicc.web.cern.ch/scannicc/openldap/ Submission from: (NULL) (128.141.46.221) Dear experts, I configured 1 LDAP provider and 9 LDAP consumers to serve a large system (~3000 nodes and ~4000 users) and answer thousands of requests. In November 2014 I upgraded the openldap version from 2.4.23-34.el6_5.1 to 2.4.39-8.el6 and we started to experience some issue. We need to regularly modify the LDAP content (e.g. netgroups, sudo rules) and doing it we randomly started to get the message ldapmodify: Server is unavailable (52) and correspondingly in the log on the consumers we find conn=22818341 op=1 ldap_back_retry: retrying URI="ldap://vm-atlas-ldap-1.cern.ch:389" DN="cn=manager,ou=atlas,o=cern,c=ch" slapd[6175]: Error: ldap_back_is_proxy_authz returned 0, misconfigured URI? After some debugging and tests I think that this is due to the connection being closed by the provider tcp 1 0 consumer:36812 provider:ldap CLOSE_WAIT 3254/slapd and the consumers not being able to reconnect at the first request. Indeed when the consumer receives a first request it fails to connect to the provider and it manages to open the connection only at the second request. The connection then stays open if requests are sent continuously and then after 6 minutes (the idletimeout) it is closed by the provider. The fact that each time the first request fails makes the system unusable. I temporary downgraded openldap back to use version 2.4.23-34.el6_5.1 with which, we not not have this issue. Could you please help us in understanding how to fix the issue? and/if I am configuring something wrongly? what has been changed between 2.4.23-34.el6_5.1 to 2.4.39-8.el6? is there some parameter that could be set more properly? You can find the slapd.conf configuration files used for the provider and for the consumers at https://scannicc.web.cern.ch/scannicc/openldap/ Any help and suggestion is very welcome. Please let me know if you need more information. Thank you very much and best regards, Diana P.S. the logs are also filled with slapd[1377]: connection_read(36): no connection! but this was present also with the previous openldap versions...
Is SSL/TLS part of the game? Ciao, Michael.
Should not, I did not enable it in the slapd.conf. Diana On 02 Feb 2015, at 20:34, <michael@stroeder.com> <michael@stroeder.com> wrote: > Is SSL/TLS part of the game? > > Ciao, Michael. > > > > - Diana Scannicchio University of California, Irvine ATLAS TDAQ SysAdmin group Office: +41 22 76 75240 OnCall: 164851
Is there anybody that could help on this issue? this version of openldap is not usable, so I would like to understand which is the problem and if can be fixed. Thank you and best regards, Diana On 02 Feb 2015, at 20:56, diana.scannicchio@cern.ch wrote: > Should not, I did not enable it in the slapd.conf. > > Diana > > On 02 Feb 2015, at 20:34, <michael@stroeder.com> <michael@stroeder.com> wro= > te: > >> Is SSL/TLS part of the game? >> =20 >> Ciao, Michael. >> =20 >> =20 >> =20 >> =20 > > - > Diana Scannicchio > University of California, Irvine > ATLAS TDAQ SysAdmin group > Office: +41 22 76 75240 > OnCall: 164851 > > > > > > > > > - Diana Scannicchio University of California, Irvine ATLAS TDAQ SysAdmin group Office: +41 22 76 75240 OnCall: 164851
Diana.Scannicchio@cern.ch wrote: > Is there anybody that could help on this issue?=20 > this version of openldap is not usable, so I would like to understand which= > is the problem and if can be fixed. > Thank you and best regards, The error message you're referring to was added in the patch for this ITS http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6851;selectid=6851 Check that you've configured appropriate credentials if you're using idassert on the target URI. > > Diana > > > On 02 Feb 2015, at 20:56, diana.scannicchio@cern.ch wrote: > >> Should not, I did not enable it in the slapd.conf. >> =20 >> Diana >> =20 >> On 02 Feb 2015, at 20:34, <michael@stroeder.com> <michael@stroeder.com> w= > ro=3D >> te: >> =20 >>> Is SSL/TLS part of the game? >>> =3D20 >>> Ciao, Michael. >>> =3D20 >>> =3D20 >>> =3D20 >>> =3D20 >> =20 >> - >> Diana Scannicchio >> University of California, Irvine >> ATLAS TDAQ SysAdmin group >> Office: +41 22 76 75240 >> OnCall: 164851 >> =20 >> =20 >> =20 >> =20 >> =20 >> =20 >> =20 >> =20 >> =20 > > - > Diana Scannicchio > University of California, Irvine > ATLAS TDAQ SysAdmin group > Office: +41 22 76 75240 > OnCall: 164851 > > > > > > > > > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
I checked and the appropriate credentials are used, nothing in the configuration changed between this version (2.4.39-8) and the previous one(s). These are the corresponding lines of the slapd.conf on the consumer: overlay chain chain-rebind-as-user FALSE chain-uri "ldap://ldap_provider:389" chain-rebind-as-user TRUE chain-idassert-bind bindmethod="simple" binddn="cn=Manager,ou=atlas,o=cern,c=ch" credentials="ldap_manager_pw" mode="self" #chain-tls start chain-return-error TRUE Unless you spot something wrong in the configuration attached to the initial mail, there should be something else different between this non-working version and the previous ones, Thank you and best regards, Diana On 17 Feb 2015, at 12:55, hyc@symas.com wrote: > Diana.Scannicchio@cern.ch wrote: >> Is there anybody that could help on this issue?=20 >> this version of openldap is not usable, so I would like to understand which= >> is the problem and if can be fixed. >> Thank you and best regards, > > The error message you're referring to was added in the patch for this ITS > > http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6851;selectid=6851 > > Check that you've configured appropriate credentials if you're using idassert on the target URI. >> >> Diana >> >> >> On 02 Feb 2015, at 20:56, diana.scannicchio@cern.ch wrote: >> >>> Should not, I did not enable it in the slapd.conf. >>> =20 >>> Diana >>> =20 >>> On 02 Feb 2015, at 20:34, <michael@stroeder.com> <michael@stroeder.com> w= >> ro=3D >>> te: >>> =20 >>>> Is SSL/TLS part of the game? >>>> =3D20 >>>> Ciao, Michael. >>>> =3D20 >>>> =3D20 >>>> =3D20 >>>> =3D20 >>> =20 >>> - >>> Diana Scannicchio >>> University of California, Irvine >>> ATLAS TDAQ SysAdmin group >>> Office: +41 22 76 75240 >>> OnCall: 164851 >>> =20 >>> =20 >>> =20 >>> =20 >>> =20 >>> =20 >>> =20 >>> =20 >>> =20 >> >> - >> Diana Scannicchio >> University of California, Irvine >> ATLAS TDAQ SysAdmin group >> Office: +41 22 76 75240 >> OnCall: 164851 >> >> >> >> >> >> >> >> >> >> > > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ > > > - Diana Scannicchio University of California, Irvine ATLAS TDAQ SysAdmin group Office: +41 22 76 75240 OnCall: 164851
We believe this was fixed as a part of ITS#9400, can you confirm? *** This issue has been marked as a duplicate of issue 9400 ***