Issue 8720 - back_ldap result timeout failure on high latency connections (TLS ONLY)
Summary: back_ldap result timeout failure on high latency connections (TLS ONLY)
Status: VERIFIED FIXED
Alias: None
Product: OpenLDAP
Classification: Unclassified
Component: slapd (show other issues)
Version: 2.4.45
Hardware: All All
: --- normal
Target Milestone: ---
Assignee: OpenLDAP project
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-31 13:05 UTC by mikedotjackson@gmail.com
Modified: 2018-03-22 19:26 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this issue.
Description mikedotjackson@gmail.com 2017-08-31 13:05:10 UTC
Full_Name: Mike Jackson
Version: 2.4.45
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (194.157.185.162)


Push replication via TLS fails to remote servers where the TCP/IP round-trip
time is greater than 100ms. When the return packets finally arrive, the
initiating server will close the connection with RST RST RST, which results in
TLS NEGOTIATION FAILURE. If TLS is not used, then the high-latency connection
will function normally and replication will occur.

The 100ms time limit comes from here:

servers/slapd/back-ldap/back-ldap.h:    #define   LDAP_BACK_RESULT_UTIMEOUT
(100000)

Reference commit 112be0118e43c161d44de6e852cca9f517bb653d from 2005.

HYC: "Ando ported timeout code from back-meta into back-ldap but he never ported
the config keyword that sets the timeout number of retries"

In addition, the back_ldap man page is not up to date.


My temporary workaround was to set LDAP_BACK_RESULT_UTIMEOUT (900000)  (900ms)
and recompile. Problem immediately went away, but this is not a correct approach
and the retry counter should be runtime configurable.
Comment 1 Howard Chu 2017-08-31 15:59:51 UTC
mikedotjackson@gmail.com wrote:
> Full_Name: Mike Jackson
> Version: 2.4.45
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (194.157.185.162)
> 
> 
> Push replication via TLS fails to remote servers where the TCP/IP round-trip
> time is greater than 100ms. When the return packets finally arrive, the
> initiating server will close the connection with RST RST RST, which results in
> TLS NEGOTIATION FAILURE. If TLS is not used, then the high-latency connection
> will function normally and replication will occur.
> 
> The 100ms time limit comes from here:
> 
> servers/slapd/back-ldap/back-ldap.h:    #define   LDAP_BACK_RESULT_UTIMEOUT
> (100000)
> 
> Reference commit 112be0118e43c161d44de6e852cca9f517bb653d from 2005.
> 
> HYC: "Ando ported timeout code from back-meta into back-ldap but he never ported
> the config keyword that sets the timeout number of retries"
> 
> In addition, the back_ldap man page is not up to date.
> 
> 
> My temporary workaround was to set LDAP_BACK_RESULT_UTIMEOUT (900000)  (900ms)
> and recompile. Problem immediately went away, but this is not a correct approach
> and the retry counter should be runtime configurable.

back-ldap has been fixed to use the configured timeout for exops here. Fix is 
in git master.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Comment 2 Howard Chu 2017-09-06 20:18:51 UTC
changed notes
changed state Open to Test
moved from Incoming to Software Bugs
Comment 3 Quanah Gibson-Mount 2017-10-06 21:44:44 UTC
changed notes
Comment 4 Quanah Gibson-Mount 2017-10-11 19:14:58 UTC
changed notes
Comment 5 Quanah Gibson-Mount 2017-10-11 19:30:55 UTC
changed notes
changed state Test to Release
Comment 6 OpenLDAP project 2018-03-22 19:26:13 UTC
fixed in master (bb62d9cb732c894023c5c9f5893acf40add7376c)
fixed in RE24 (2.4.46)
Comment 7 Quanah Gibson-Mount 2018-03-22 19:26:13 UTC
changed notes
changed state Release to Closed